Kaspersky
Solved

Possible to manage Application launch in Application Control based on CARO malware-naming scheme?

  • 27 November 2020
  • 2 replies
  • 230 views

Hello,

We’re looking to explicitly block Mimikatz from installing/running on our machines. Mimikatz is a pentesting tool capable of pulling passwords and hashes from system memory, and could be used for nefarious purposes.

I’d like to think that Kaspersky would immediately flag/delete the installation of such a tool, but in the event that it does not, is it possible to block it at the Application Control level using the CARO malware naming scheme? For example, Mimikatz is designated as HackTool:Win32/Mimikatz.PTT. Is there a way to target this through Kaspersky?

Otherwise I’m assuming I’ll need to add each file in Mimikatz to the Untrusted group in HIP and/or add any executable files to Application Control blacklist.

Thoughts?

icon

Best answer by Demiad 27 November 2020, 20:13

I have “HEUR:Trojan-PSW.Win32.Mimikatz.gen” detected in Mimikatz files in archive:
github.com .... /mimikatz_trunk.zip

Do you have that version of Mimikatz?

 

Today, 11/27/2020 9:43:07
Event :    Malicious object detected
User :    xxx\User
User type :    Initiator
Application name :    WinRAR.exe
Application path :    C:\Program Files\WinRAR
Component :    File Threat Protection
Result description :    Detected
Type :    Trojan program
Name :    HEUR:Trojan-PSW.Win32.Mimikatz.gen
Precision :    Heuristic Analysis
Threat level :    High
Object type :    File
Object name :    mimidrv.sys
Object path :    C:\Users\User\Downloads\mimikatz_trunk\Win32
SHA256 :    D032001EAB6CAD4FBEF19AAB418650DED00152143BD14507E17D62748297C23F
MD5 :    F838F4EB36F1E7036238776C7A70F0B0
Reason :    Machine learning
Databases release date :    Today, 11/27/2020 7:17:00 AM

 

 

View original

This topic has been closed for comments

2 replies

Userlevel 7
Badge +5

I have “HEUR:Trojan-PSW.Win32.Mimikatz.gen” detected in Mimikatz files in archive:
github.com .... /mimikatz_trunk.zip

Do you have that version of Mimikatz?

 

Today, 11/27/2020 9:43:07
Event :    Malicious object detected
User :    xxx\User
User type :    Initiator
Application name :    WinRAR.exe
Application path :    C:\Program Files\WinRAR
Component :    File Threat Protection
Result description :    Detected
Type :    Trojan program
Name :    HEUR:Trojan-PSW.Win32.Mimikatz.gen
Precision :    Heuristic Analysis
Threat level :    High
Object type :    File
Object name :    mimidrv.sys
Object path :    C:\Users\User\Downloads\mimikatz_trunk\Win32
SHA256 :    D032001EAB6CAD4FBEF19AAB418650DED00152143BD14507E17D62748297C23F
MD5 :    F838F4EB36F1E7036238776C7A70F0B0
Reason :    Machine learning
Databases release date :    Today, 11/27/2020 7:17:00 AM

 

 

Hey Demiad,

I appreciate you looking into this. To be honest I have to confess that I didn’t test mimikatz ahead of time. I was under the impression that I might need to block it myself manually. I just tested and confirmed that Kaspersky catches it automatically. Sorry for the trouble.

Thanks again.