Insecure service configuration - Antivirus
Description
It is possible to evade antivirus signatures to upload and use hacking tools that are commonly detected by any antivirus by recompiling the binaries and source code of the tools and using obfuscation. This would allow an attacker to get information in memory, perform attacks on the Kerberos service or the organizations network, among others.
Impact
- Evade the organizations security controls to install malicious software.
- Exfiltrate data.
- Compromise data integrity.
- Affect server availability.
Recommendation
- Use on-disk monitoring systems to detect the use of malicious tools.
- Update detection and intelligence tools periodically.
Threat
Internal attacker in the network.
Expected Remediation Time
⌚ minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: A
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: H
- Availability: L
Temporal
- Exploit code madurity: F
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:F/RL:X/RC:X
- Score:
- Base: 6.8
- Temporal: 6.6
- Severity:
- Base: Medium
- Temporal: Medium
Compliant code
Every resource in the network has monitoring systems and antivirus correctly setup.
hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure AntiVirus profiles.
app_antivirus_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
antivirus_profile:
state: "present"
analytics-bl-filetype: "3 (source dlp.filepattern.id)"
analytics-db: "disable"
analytics-max-upload: "5"
analytics-wl-filetype: "6 (source dlp.filepattern.id)"
av-block-log: "enable"
av-virus-log: "enable"
content-disarm:...
extended-log: "enable"
ftgd-analytics: "disable"
ftp:...
http:
archive-block: "encrypted"
archive-log: "encrypted"
emulator: "enable"
options: "scan"
outbreak-prevention: "enabled"
inspection-mode: "proxy"
smb:...
smtp:...
Non compliant code
Some anti virus tools in the network are not up to date or poorly configured
hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: "mypassword"
vdom: "root"
tasks:
- name: Configure AntiVirus profiles.
app_antivirus_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
antivirus_profile:
state: "present"
analytics-max-upload: "5"
av-virus-log: "disable"
extended-log: "enable"
ftgd-analytics: "disable"
http:
emulator: "enable"
options: "scan"
outbreak-prevention: "disabled"
inspection-mode: "proxy"
Requirements
Fixes
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.