-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crowdstrike identifying this module as malicious #14
Comments
This is a good data point. Unfortunately this is also marked as malicious
by Windows Defender. The main problem stems from the PSReflect module that
it is based on. While PSReflect itself is not malicious, it was mainly
created/used for malicious purposes in its infancy. While Microsoft did
address many of the underlying issues, they and other AV vendors also
attacked the symptom (the ability to call arbitrary APIs from PowerShell in
memory).
…On Tue, Aug 13, 2019 at 3:29 PM Coruscate5 ***@***.***> wrote:
See title - I'm working with our AV folks, but these sorts of things tend
to have a cascading effect on AV groupthink (e.g. rep heuristics, partner
ID of PUPs), might want to start a convo w CS
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#14?email_source=notifications&email_token=ADFJYASEH5YMSEODX6RAV3TQEMYUVA5CNFSM4ILPKRJKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HFCJUKA>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADFJYAXRLLDORYJSAONHD7TQEMYUVANCNFSM4ILPKRJA>
.
|
Thanks for the info - I suppose then it is limited to language, or some other matching, since I am able to replicate the same functionality from Python (using Ctypes) with no issues This is unfortunate, as powershell in a Windows env is more reliable/ubiquitous than Python |
I also had to disable windows defender to play with this module. As a motivation example, I'd love to build on top of PSReflect-Functions a module to work with NTFS xattr, but since Windows Defender marks it, there is no point in building such module. Nobody would be able to use it. So at the moment, it looks like the only reasonable way is to re-write all pinvoke by hand, but that's a non-trivial amount of work. @LeeHolmes is there some clever way to solve this situation? 🤞 |
Yea this is a tough one. I typically use this module in non production use cases like when I'm researching an attack technique and want more granular control over different API calls (rather than rely on a specific malware sample's implementation). However, it would be really nice for me to be able to use it in a production environment to do something like run a script to collect information during an investigation. Unfortunately many AV vendors error on the side of caution by determining that PSReflect is more often used for malicious purposes. To be fair to them this is probably the case, but not because PSReflect is innately malicious, but because red teamers and even real attackers have been more active in using its capabilities. |
Curiously, I had no problem running PSReflect-Functions directly, but when I extracted a few lines of code for an experiment, Windows Defender dropped the hammer on me, complaining about |
See title - I'm working with our AV folks, but these sorts of things tend to have a cascading effect on AV groupthink (e.g. rep heuristics, partner ID of PUPs), might want to start a convo w CS
The text was updated successfully, but these errors were encountered: