<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AgentTesla - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/agenttesla/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/agenttesla/feed.xml" rel="self" type="application/rss+xml"/><item><title>Excessive Taskkill Usage for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-excessive-taskkill/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-excessive-taskkill/</guid><description>Adversaries use excessive calls to `taskkill.exe` (more than 10 times within a minute) to disable security tools or critical processes, evading detection and compromising systems.</description><content:encoded><![CDATA[<p>This threat brief addresses the excessive use of <code>taskkill.exe</code>, a Windows command-line utility, by various threat actors to terminate processes on compromised systems. The observed behavior involves executing <code>taskkill.exe</code> more than ten times within a one-minute timeframe. This technique is employed to disable security software, terminate monitoring agents, and halt other critical processes that could hinder the attacker's objectives. The DFIR Report has documented similar tactics in SQL Server attacks, while Joe Sandbox analysis reveals the use of <code>taskkill.exe</code> in malicious payloads. Successful execution of this evasion tactic allows attackers to bypass security controls, maintain persistence, and potentially deploy further malicious payloads such as ransomware or data exfiltration tools. This behavior has been associated with multiple malware families including Azorult, AgentTesla, NjRAT, XMRig, Crypto Stealer and BlankGrabber Stealer.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access is achieved through various means, such as exploiting vulnerabilities or social engineering techniques. (TA0001)</li>
<li>The attacker gains a foothold on the system and executes malicious code, either directly or through a dropper. (TA0002)</li>
<li>The attacker enumerates running processes to identify security tools, monitoring agents, or other critical processes to disable (T1057).</li>
<li>The attacker uses <code>taskkill.exe</code> with appropriate arguments to terminate the identified processes. (T1562.001)</li>
<li>The attacker repeats the <code>taskkill.exe</code> command multiple times in a short period (more than 10 times within a minute) to ensure the targeted processes are terminated (T1562.001).</li>
<li>With security tools disabled, the attacker proceeds to perform malicious activities, such as data exfiltration or lateral movement. (TA0007, TA0008)</li>
<li>The attacker may install persistence mechanisms to maintain access to the compromised system, taking advantage of the disabled security controls. (TA0003)</li>
<li>The attacker achieves their final objective, such as data theft, ransomware deployment, or disruption of services. (TA0040)</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of this attack can lead to significant disruption and damage. Security tools being disabled results in the system becoming vulnerable to further attacks. Data exfiltration can lead to financial loss and reputational damage. Ransomware deployment can encrypt critical data, causing business interruption and financial loss. While exact victim numbers are unavailable, this technique is associated with multiple malware families, indicating widespread potential impact.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>Excessive Taskkill Execution Count</code> to detect instances where <code>taskkill.exe</code> is executed excessively within a short timeframe.</li>
<li>Enable process monitoring with command-line logging to capture the execution of <code>taskkill.exe</code> and its arguments, which is required for the Sigma rule to function correctly.</li>
<li>Investigate any alerts generated by the Sigma rule <code>Excessive Taskkill Execution Count</code> to determine the legitimacy of the <code>taskkill.exe</code> execution and identify potential malicious activity.</li>
<li>Use the provided Splunk search query to identify instances of excessive <code>taskkill.exe</code> usage in your environment and correlate with other security events to identify potential compromises.</li>
<li>Implement network segmentation to limit the impact of lateral movement if an attacker successfully disables security tools.</li>
<li>Review and harden endpoint security configurations to prevent attackers from easily disabling security tools.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>taskkill</category><category>defense-evasion</category><category>windows</category></item></channel></rss>