Insecure service configuration - Antivirus
Description
It is possible to evade antivirus signatures to upload and use hacking tools that are commonly detected by any antivirus by recompiling the binaries and source code of the tools and using obfuscation. This would allow an attacker to get information in memory, perform attacks on the Kerberos service or the organizations network, among others.
Impact
- Evade the organizations security controls to install malicious software.
- Exfiltrate data.
- Compromise data integrity.
- Affect server availability.
Recommendation
- Use on-disk monitoring systems to detect the use of malicious tools.
- Update detection and intelligence tools periodically.
Threat
Internal attacker in the network.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: A
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: H
- Availability: L
Temporal
- Exploit code maturity: F
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:F/RL:X/RC:X
- Score:
- Base: 6.8
- Temporal: 6.6
- Severity:
- Base: Medium
- Temporal: Medium
Score 4.0
Default score using CVSS 4.0 . It may change depending on the context of the src.
Base 4.0
- Attack vector: A
- Attack complexity: L
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): H
- Availability (VA): L
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: A
Result 4.0
- Vector string: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:A
- Score:
- CVSS-BT: 7.0
- Severity:
- CVSS-BT: High
Compliant code
Every resource in the network has monitoring systems and antivirus correctly setup.
hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure AntiVirus profiles.
app_antivirus_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
antivirus_profile:
state: "present"
analytics-bl-filetype: "3 (source dlp.filepattern.id)"
analytics-db: "disable"
analytics-max-upload: "5"
analytics-wl-filetype: "6 (source dlp.filepattern.id)"
av-block-log: "enable"
av-virus-log: "enable"
content-disarm:...
extended-log: "enable"
ftgd-analytics: "disable"
ftp:...
http:
archive-block: "encrypted"
archive-log: "encrypted"
emulator: "enable"
options: "scan"
outbreak-prevention: "enabled"
inspection-mode: "proxy"
smb:...
smtp:...
Non compliant code
Some anti virus tools in the network are not up to date or poorly configured
hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: "mypassword"
vdom: "root"
tasks:
- name: Configure AntiVirus profiles.
app_antivirus_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
antivirus_profile:
state: "present"
analytics-max-upload: "5"
av-virus-log: "disable"
extended-log: "enable"
ftgd-analytics: "disable"
http:
emulator: "enable"
options: "scan"
outbreak-prevention: "disabled"
inspection-mode: "proxy"
Requirements
Fixes
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.