Alguien conoce los ataques MITRE?

DavidWin10 · 31 Diciembre, 2020 17:17

Hola, no hace mucho que utilizo una herramienta llamada CrowdInspect que inspecciona los procesos que corren en el PC. Esta herramienta contrasta todos los procesos que corren en el PC con varias bases de datos agrupadas en una web llamada hybrid-analisis.com

La teoría que está detrás de esto, es que los ataques que detecta en los ordenadores actualmente se basa en técnicas combinadas de ataque, en lo que la web llama ataques MITRE (en la web se pueden ver cuántos puntos conforma un ataque de este tipo), o sea, en vez de basarse en si tal ejecutable tiene alguna firma de troyano, se basa más en su comportamiento.

Me parece una manera de contemplar el problema de los troyanos muy acertada. El caso es que ha detectado que un proceso de mi sistema, el encargado de indizar, cumple dos puntos de este tipo de ataques, como podéis ver en el siguiente enlace.

https://hybrid-analysis.com/sample/ffbcf5f709e1e017eac64af5c9e232140fca2d1a02a64c1fffd965b1e5ab842f

En la parte de abajo dice que este proceso (SearchFilterHost.exe) está utilizando un servicio de escaneo de la red y un sistema de escaneo de configuración de la red. ¿no es un poco sospechoso? ¿Cómo podría solucionarlo? No creo que sea el ejecutable en si, sino algo que hace que el ejecutable se comporte asi. Alguna sugerencia. Gracias.

A continuación pego lo que dice CrowdInspect del proceso. Process: C:\Windows\System32\SearchFilterHost.exe

SHA256: ffbcf5f709e1e017eac64af5c9e232140fca2d1a02a64c1fffd965b1e5ab842f

Link: Free Automated Malware Analysis Service - powered by Falcon Sandbox

Explanation of rating: A verdict of “malicious” was seen giving a rating of HIGH

JSON response:

{“response_code”:0,“response”:[{“sha256”:“ffbcf5f709e1e017eac64af5c9e232140fca2d1a02a64c1fffd965b1e5ab842f”,“environmentDescription”:“Static Analysis”,“isurlanalysis”:false,“md5”:“1b3706231f1003b03717691c5afcd361”,“sha1”:“7cdd324302c3e568cdd1e187e1ec51cefa2662df”,“sha512”:“d3dc86424ff4c047da73b3a8c04d132582930dfdc2c746961cbdc46e7f1bfda2294d82719f8df1003f667c12bca7805f40f72f3a8809e39bd10dde42121887b0”,“size”:272384,“state”:“SUCCESS”,“submitname”:“file”,“type”:“PE32+ executable (console) x86-64, for MS Windows”,“type_short”:[“peexe”,“64bits”,“executable”],“without_sandbox_analysis”:true,“error_type”:null,“error_origin”:null,“submissions”:[{“filename”:“file”,“url”:null,“created_at”:“2020-11-05T10:02:11+00:00”,“submission_id”:“5fa3cda39a784b26763c2815”}],“analysis_start_time”:“2020-11-05T10:02:11+00:00”,“threatlevel”:2,“verdict”:“malicious”,“verdict_threatscore”:0,“isinteresting”:false,“certificates”:[],“avdetect”:0,“vxfamily”:"",“domains”:[],“hosts”:[],“total_network_connections”:0,“total_processes”:0,“total_signatures”:0,“classification_tags”:[]},{“type”:“PE32+ executable (console) x86-64, for MS Windows”,“type_short”:[“peexe”,“64bits”,“executable”],“state”:“SUCCESS”,“size”:272384,“md5”:“1b3706231f1003b03717691c5afcd361”,“sha1”:“7cdd324302c3e568cdd1e187e1ec51cefa2662df”,“sha256”:“ffbcf5f709e1e017eac64af5c9e232140fca2d1a02a64c1fffd965b1e5ab842f”,“sha512”:“d3dc86424ff4c047da73b3a8c04d132582930dfdc2c746961cbdc46e7f1bfda2294d82719f8df1003f667c12bca7805f40f72f3a8809e39bd10dde42121887b0”,“submitname”:“SearchFilterHost.exe”,“isurlanalysis”:false,“environmentId”:“120”,“environmentDescription”:“Windows 7 64 bit”,“classification_tags”:[],“error”:"",“falconintel_mq”:[{“clean_count”:3,“malware_count”:97,“pua_count”:0,“querytime”:35557,“reqid”:“248f1aba-fa79-4fd8-5a9b-0cb799b7b279”,“reqtype”:“search”,“tag”:“string_314610c22491c5c4776a4e95d7edd739”,“unknown_count”:0,“meta”:{“search_term”:“SearchFilterHost.pdb”},“resources”:[{“family”:“Agentsmall”,“label”:“malware”,“filesize”:79360,“filetype”:“PE32”,“md5”:“c30623fc523e65a71f3519581c73ebc0”,“sha1”:“f68b927c0fc1dd0b10fece93f66c59f104403fd0”,“sha256”:“03a920beb21dda690f3d3332cc2881197a0c5bcd51edd52ffb035aee92167c84”,“first_seen”:1360713600},{“family”:“Agentsmall”,“label”:“malware”,“filesize”:80896,“filetype”:“PE32”,“md5”:“04a8b23b7e074c6f548e21183f7a4946”,“sha1”:“814974d123f6a55f28052fd92f5446d40dc4f8b2”,“sha256”:“54c30658e35e79b8f6609f2518559e5c7d23392626e1856f2b3d12c7712a4a88”,“first_seen”:1360713600},{“family”:“Bladabindi”,“label”:“malware”,“filesize”:75578,“filetype”:“PE32”,“md5”:“d83baad97643f58e8d2a1a58edb697b8”,“sha1”:“2582466e70a2f2ace4ee572bd6444a97a836b98c”,“sha256”:“0937217529a6030539b50da1c9d4ae66ebcf250c44d50e458a49e7ff09eef842”,“first_seen”:1518134400},{“family”:“Bladabindi”,“label”:“malware”,“filesize”:73530,“filetype”:“PE32”,“md5”:“4d976ded4f955f2f45119b2296529d2b”,“sha1”:“aaa0840eafa5951731ebbb6b7ad7f04e6d11121e”,“sha256”:“887d44666cc019a8de92e95df7d325ce240e78ef7de5b43084dae0014b698d3a”,“first_seen”:1518048000},{“family”:“Expiro”,“label”:“malware”,“filesize”:495104,“filetype”:“PE32”,“md5”:“51b1e097cf99cf73f902f2d3ac9686e6”,“sha1”:“8d3ae2a7c98d0143d485d291e6b14c64a56d9f8a”,“sha256”:“97dc7657a482c5aec186d8bdfed9eb62440d0937c047d95723b47fe8559a8838”,“first_seen”:1603152000},{“family”:“Virut”,“label”:“malware”,“filesize”:113664,“filetype”:“PE32”,“md5”:“37ac51872bbf1a921afe24c5b10bed55”,“sha1”:“656699a5caef38515de5b2ba887ab556c9f481d3”,“sha256”:“17c0ac797b369a9d678d21f312db8381bbc437a9e5bd7d408d119cd5fd1833a8”,“first_seen”:1603238400},{“family”:“Virut”,“label”:“malware”,“filesize”:114176,“filetype”:“PE32”,“md5”:“2fa54d057e83e58f53ac9935a61750d8”,“sha1”:“76fea348e2e45ff8c1771d73165824ba19d194c8”,“sha256”:“de361163ed7da6ddc05543143caf00492680d6e82b13eb1f77809e64350ebef9”,“first_seen”:1603238400},{“family”:“Virut”,“label”:“malware”,“filesize”:111104,“filetype”:“PE32”,“md5”:“d741b45824dfc4fdb944a34e8ca2f57a”,“sha1”:“9a4d7fbbacfe27ea32753fb86fd1db7bf1fd3efe”,“sha256”:“f908ddf05d21ccb38836758bb4dab99eb3abe3a5acc3fe766f98ae8637646c05”,“first_seen”:1603238400},{“family”:“Virut”,“label”:“malware”,“filesize”:114176,“filetype”:“PE32”,“md5”:“8e048d63ab5fa5546e965de5e3117233”,“sha1”:“e013d5136909adaf9583577769d299dc143a42cb”,“sha256”:“978feb4d8f8a61476e24a0d976102618cb5b8e3881dec4befcb24be095be503d”,“first_seen”:1602460800},{“label”:“malware”,“filesize”:112640,“filetype”:“PE32”,“md5”:“c205ab7310e5e76307a63d37ebeb2f13”,“sha1”:“93032b21c040455785d0f4368e55dda3d80e12ea”,“sha256”:“858bcf1dedf61cfa0c19d93ff216679b92890f70cf643ccf44b102665b06889e”,“first_seen”:1603238400},{“label”:“malware”,“filesize”:161792,“filetype”:“PE32”,“md5”:“07a9dfc50af68924fea6072dc0aad075”,“sha1”:“4fe6cddc2d47640f2782e19e14abbfcb1f1d17a1”,“sha256”:“c4dbf25febc213429d193418bfe02d7998134ffb5a5240420e0f2583778d38eb”,“first_seen”:1602115200},{“label”:“clean”,“filesize”:86528,“filetype”:“PE32”,“md5”:“a6cd6b3f71e13e2e45b727fb8a47ea87”,“sha1”:“c662bb3da0dd5fdae9a7661226f13689786777fd”,“sha256”:“4d84f6b03185da961543adfb927cbc17a1a9f216ac24e9a9228780ad7dd0222e”,“first_seen”:1596672000},{“label”:“malware”,“filesize”:86528,“filetype”:“PE32”,“md5”:“23a96b0185fa19653de3ede94ba8c4ed”,“sha1”:“c0321c815fb5daf00807b7436037353b21462506”,“sha256”:“be5f3f6dc8872345b4803fd1607a5c4a0e67976083f4ffd45cdb2a57e677bc7d”,“first_seen”:1588032000},{“label”:“malware”,“filesize”:86528,“filetype”:“PE32”,“md5”:“553f8203da4446b47afac7c8449d5122”,“sha1”:“4d32c53ecefb667a4b60ec779959a6a63b2133cc”,“sha256”:“0de3834e872a5d48479a215eb30ad9378a300ca4df211bad210c57f149d2dc58”,“first_seen”:1557360000},{“label”:“malware”,“filesize”:86528,“filetype”:“PE32”,“md5”:“a50796863dcafc26213f550061b483c7”,“sha1”:“6fa1ffafc4459370c293fd2e5ee0361cba9f2042”,“sha256”:“f5dadf6de2db0e5d6e6e98d4e9f46ef9422eab9a68548f7aec1210ab50baead6”,“first_seen”:1557187200},{“label”:“malware”,“filesize”:86528,“filetype”:“PE32”,“md5”:“da1e88873c94863641c5594496aa9637”,“sha1”:“9d3bc1d129a9e870789c01239ce0cd7b3dc01d1e”,“sha256”:“1362188b1f1df704e8c89785061dd1256ebb7c54b6e6ec28806d226aafbca5de”,“first_seen”:1541376000},{“label”:“malware”,“filesize”:86528,“filetype”:“PE32”,“md5”:“ab9892768d4bc1e94f0bc3d7e745e581”,“sha1”:“16cfa664308105157bdc3d66a547ed4baad63ebd”,“sha256”:“dde7336e36385b2753a37f712e3146354df6921d08f83d4f2433b6cff5642b24”,“first_seen”:1541376000},{“label”:“malware”,“filesize”:86528,“filetype”:“PE32”,“md5”:“bbab3a298629266c8a22711f2b08427e”,“sha1”:“370baebbc3239f0b9fdbad475b77eb2f3cd7f769”,“sha256”:“aecd9e4aabaca600e32ea103679463404b0523679a1a2542aebd97ad73ce19c2”,“first_seen”:1540252800},{“label”:“malware”,“filesize”:86528,“filetype”:“PE32”,“md5”:“5b457861051e1be0c7485e99a43127a4”,“sha1”:“123191ac5aacaceecc3cec4efbeb478d44bc2694”,“sha256”:“33ee1d332fb56fcb569f113fdff6f3c1124234c24cf23e0e32c9d83ae99ca639”,“first_seen”:1540166400}]}],“imphash”:“25975932fe65b44ea2dd939dc008d453”,“ssdeep”:“3072:TsZBSJaS2JnRUk7JlsIXO/aa+l+sg3JCG32sVPQp7d1ihk6kvtfGq0ev3U5WN:SBiaS2V/lxXiaPK2sVWorkR10efUK”,“targeturl”:"",“threatlevel”:2,“verdict”:“malicious”,“error_type”:null,“error_origin”:null,“submissions”:[{“filename”:“SearchFilterHost.exe”,“url”:null,“created_at”:“2020-12-31T01:04:56+00:00”,“submission_id”:“5fed23b8596dc14f6738a076”},{“filename”:“SearchFilterHost.exe”,“url”:null,“created_at”:“2020-10-29T21:57:30+00:00”,“submission_id”:“5f9b3aca274b346cad3df651”}],“analysis_start_time”:“2020-10-29 21:57:37”,“threatscore”:61,“isinteresting”:false,“certificates”:[],“avdetect”:0,“vxfamily”:“Malware.Generic”,“domains”:[],“hosts”:[],“total_network_connections”:0,“total_processes”:0,“total_signatures”:9,“mitre_metadata”:{“Discovery”:{“Network Service Scanning”:{“identifier”:“network-32”,“display_title”:“Network Service Scanning”,“description”:“Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.”,“attck_id”:“T1046”,“capec_id”:null,“back_link”:“https://attack.mitre.org/techniques/T1046",“tactics”:[“Discovery”],“permissions”:[“Administrator”,“SYSTEM”,“User”],“hiden”:{“malicious”:0,“suspicious”:0,“informative”:0},“identifiers”:{“suspicious”:[{“attckid”:“T1046”,“identifier”:“network-32”,“name”:"Detected increased number of ARP broadcast requests (network device lookup)”,“relevance”:“10”,“type”:“suspicious”,“description”:“Attempt to find devices in networks: “169.254.198.29/32, 192.168.240.2/32, 192.168.241.168/32, 192.168.241.215/32, 192.168.241.230/32, 192.168.242.71/32, 192.168.242.218/32, 192.168.243.2/32, …””,“origin”:“Network Traffic”,“allowed”:true}]},“suspicious_identifiers_count”:1},“System Network Configuration Discovery”:{“identifier”:“network-31”,“display_title”:“System Network Configuration Discovery”,“description”:“Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.”,“attck_id”:“T1016”,“capec_id”:“CAPEC-309”,“back_link”:“https://attack.mitre.org/techniques/T1016",“tactics”:[“Discovery”],“permissions”:[“User”],“hiden”:{“malicious”:0,“suspicious”:0,“informative”:0},“identifiers”:{“malicious”:[{“attckid”:“T1016”,“capecid”:“CAPEC-309”,“identifier”:“network-31”,“name”:"Detected a large number of ARP broadcast requests (network device lookup)”,“relevance”:“10”,“type”:“malicious”,“description”:"Attempt to find devices in networks: “169.254.36.184/32, 169.254.70.117/32, 169.254.109.176/32, 169.254.126.209/32, 169.254.198.29/32, 169.254.208.162/32, 192.168.240.2/32, 192.168.240.142/32, 192.168.241.58/32, 192.168.241.133/32, 192.168.241.168/32, 192.168.241.213/32, 192.168.241.215/32, 192.168.241.230/32, 192.168.242.71/32, 192.168.242.182/32, 192.168.242.218/32, 192.168.243.2/32, 192.168.243.42/32, 192.168.243.65/32"”,“origin”:“Network Traffic”,“allowed”:true}]},“malicious_identifiers_count”:1}}}}]}

DarkGhost · 31 Diciembre, 2020 21:51

Hola @DavidWin10,

Ve a la dirección C:\Windows\System32,

Busca SearchFilterHost.exe

Dale click derecho a ese ejecutable, escoje Propiedades.

Si en la solapa firmas digitales aparece Microsoft Corporation, ese proceso es original y legítimo de Windows

Saludos!