Have fun planting virus signatures in strange places that touch remote disks somehow/somewhere.

Example:

Change your mail sig to:
X5O!P%@ap[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Or send it in a browser var, as a password (quickly find the sites that don't encrypt passwords), send to open syslogs, etc.

The some AV actually delete/quarantine the file (weblogs, mailspool, {u,w}tmp etc.)!

What are your ideas?

Inspired by: sec.cs.tu-bs.de/pubs/2017-asia

@Mudge I'll actually be showing a hilarious Erlang trick with this at next week based on your initial bump of the post. Trust me, you'll plotz :>

@donb cool, please share with me earlier if you can.

Other off the top of the head tricks (some need a different sig):

Password: quarantine pw files that aren't encrypted

username: utmp/wtmp

syslog to local/remote: zorch certain logs based on log level etc.

Browser strings: logs

DNS additional records: local lookup caches

SMTP X-headers: mail files/spools

Anything across the net to bork IDSes running AV.

This is a gift that keeps on giving!

Other ideas?

Follow

@Mudge @cynicalsecurity a few years back said you can use it to catch files as they are being exfiltrated: twitter.com/cynicalsecurity/st

· · Web · 0 · 0 · 1

@Tanuki @Mudge yes, if you plant the EICAR string in files then when they cross the boundaries you can see them trigger even basic rules on clamAV (i.e. use ClamAV purely as an exfiltration detection mechanism without the other rules).

It is similar in concept to CanaryTokens (canarytokens.org/).

Sign in to participate in the conversation
Mastodon

The original server operated by the Mastodon gGmbH non-profit