Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crowdstrike identifying this module as malicious #14

Open
Coruscate5 opened this issue Aug 13, 2019 · 5 comments
Open

Crowdstrike identifying this module as malicious #14

Coruscate5 opened this issue Aug 13, 2019 · 5 comments

Comments

@Coruscate5
Copy link

See title - I'm working with our AV folks, but these sorts of things tend to have a cascading effect on AV groupthink (e.g. rep heuristics, partner ID of PUPs), might want to start a convo w CS

@jaredcatkinson
Copy link
Owner

jaredcatkinson commented Aug 13, 2019 via email

@Coruscate5
Copy link
Author

Thanks for the info - I suppose then it is limited to language, or some other matching, since I am able to replicate the same functionality from Python (using Ctypes) with no issues

This is unfortunate, as powershell in a Windows env is more reliable/ubiquitous than Python

@vors
Copy link

vors commented Aug 13, 2019

I also had to disable windows defender to play with this module.

As a motivation example, I'd love to build on top of PSReflect-Functions a module to work with NTFS xattr, but since Windows Defender marks it, there is no point in building such module. Nobody would be able to use it. So at the moment, it looks like the only reasonable way is to re-write all pinvoke by hand, but that's a non-trivial amount of work.

@LeeHolmes is there some clever way to solve this situation? 🤞

@jaredcatkinson
Copy link
Owner

Yea this is a tough one. I typically use this module in non production use cases like when I'm researching an attack technique and want more granular control over different API calls (rather than rely on a specific malware sample's implementation). However, it would be really nice for me to be able to use it in a production environment to do something like run a script to collect information during an investigation. Unfortunately many AV vendors error on the side of caution by determining that PSReflect is more often used for malicious purposes. To be fair to them this is probably the case, but not because PSReflect is innately malicious, but because red teamers and even real attackers have been more active in using its capabilities.

@AltitudeApps
Copy link

Curiously, I had no problem running PSReflect-Functions directly, but when I extracted a few lines of code for an experiment, Windows Defender dropped the hammer on me, complaining about Trojan:PowerShell/Mountsi.A!ml . Which was easily remedied by "allowing" the threat, but now I have the spectre of "Mountsi" hanging over me indefinitely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants