I tried PrivaZer and I got the following notifications from OSA with Extreme Protection profile set:
Date/Time: 11/12/2021 2:24:04 AM
Process: [5248]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process MD5 Hash: 0689841A69F138E76C7639C15C77B527
Parent: [6412]C:\Windows\System32\cmd.exe
Rule: BlockPowerShellExecution
Rule Name: Block execution of Windows PowerShell
Command Line: powershell "wevtutil el | foreach { wevtutil cl $_ }"
Signer: <NULL>
Parent Signer: <NULL>
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
The above command uses powershell.exe and wevtutil to clean Windows events logs. However, also ransomware use this technique to remove their traces:
"In the Clop ransomware sample that was used in the Software AG case, there is something that if remember right, wasn't before: it uses wevtutil.exe to clear event logs..."
"To remove its(or its component’s) execution traces from the infected system, KillDisk uses the Windows event utility (wevtutil)"
https://www.mcafee.com/blogs/other-...zing-killdisk-ransomware-part-1-whitelisting/
"The adversary used PsExec to invoke the "wevtutil.exe" utility. This utility cleared the contents of local security event logs on systems."
WastedLocker Goes "Big-Game Hunting" in 2020
Would be better in my personal opinion if PrivaZer could use Windows APIs to do the job:
Windows Event Log Functions - Win32 apps
Event Logging Functions - Win32 apps
Date/Time: 11/12/2021 2:23:47 AM
Process: [4300]C:\Windows\System32\cacls.exe
Process MD5 Hash: AF3BC8CFE8C9AFE83781356CA9DD32AC
Parent: [7128]C:\Windows\System32\cmd.exe
Rule: BlockCaclsIcaclsExecution
Rule Name: Block execution of cacls\icacls\xcacls.exe
Command Line: cacls "C:\System Volume Information\Chkdsk" /E /G Dev:F
Signer: <NULL>
Parent Signer: <NULL>
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
The above command uses system process cacls.exe to gain access to "System Volume Information", but unfortunately this technique is also used by malware.
cacls.exe and xcacls.exe are other system processes commonly abused by malware and ransomware.
Date/Time: 11/12/2021 2:23:24 AM
Process: [796]C:\Windows\SysWOW64\taskkill.exe
Process MD5 Hash: A5189BE7FF73B8D69F20B7CC031F9990
Parent: [1440]C:\Windows\SysWOW64\cmd.exe
Rule: BlockTaskkillExecution
Rule Name: Block execution of taskkill.exe
Command Line: C:\Windows\\System32\TASKKILL.exe /F /IM SCserver.exe
Signer: <NULL>
Parent Signer: <NULL>
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
The above command uses system process taskkill.exe to kill/terminate scserver.exe process. Malware also use taskkill.exe to kill Antivirus processes and other processes like MSSQL server, etc.
The same can be done via Windows APIs, that would be better in my personal opinion since taskkill.exe is yet another system process abused by malware.
From my personal point of view, the execution of system processes should be drastically limited (if possible of course) since malware and ransowmare are known to abuse them heavily (see certutil.exe, powershell.exe, etc). Many companies tend to block/restrict the execution of many system processes to block infection chains of malware/ransomware/exploits. This is unfortunate, because yes we have system processes that can help do amazing things and automate things easily via command-line, but at the same time this is true also for malware, ransomware, etc.
A possible workaround for PrivaZer (and any other program) would be to directly execute the specific system processes so we know PrivaZer.exe is the parent process, example:
Instead of using cmd.exe -> taskkill.exe, it could be like PrivaZer.exe -> taskkill.exe, same is for cmd.exe -> cacls.exe that can be PrivaZer.exe -> cacls.exe
Regarding wevtutil.exe, it can be done in the same way with PrivaZer.exe as parent process and that covers all system events logs sections:
PrivaZer.exe -> wevtutil.exe clear-log application
PrivaZer.exe -> wevtutil.exe clear-log security
PrivaZer.exe -> wevtutil.exe clear-log setup
PrivaZer.exe -> wevtutil.exe clear-log system
In the above cases we can better write safe whitelist/exclusion rules by matching parent process PrivaZer.exe and parent signer Goversoft LLC.
www.wilderssecurity.com
