{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/xmrig/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Observed in multiple ransomware families","xmrig"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["endpoint","sc.exe","service_control","privilege_escalation","defense_evasion","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious activity related to the excessive use of \u003ccode\u003esc.exe\u003c/code\u003e, the Windows Service Control Manager command-line utility. Observed in various ransomware campaigns and malware such as XMRig, adversaries leverage \u003ccode\u003esc.exe\u003c/code\u003e to create, modify, delete, or disable system services. These actions may target security applications to weaken defenses or be used for privilege escalation to gain elevated access. The detection logic analyzes process creation events for \u003ccode\u003esc.exe\u003c/code\u003e, identifies outliers in its execution frequency, and highlights potentially malicious instances that deviate significantly from established baselines. This activity warrants investigation as it often precedes or accompanies more severe malicious actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Adversary gains access to the target system through unspecified means (e.g., exploitation, compromised credentials).\u003c/li\u003e\n\u003cli\u003ePersistence: The adversary uses sc.exe to create a new service configured to execute a malicious payload upon system restart.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: sc.exe is used to disable or delete existing services, potentially including security software or logging mechanisms.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: A vulnerable service is identified or created, and sc.exe is used to modify its configuration, allowing the adversary to execute code with elevated privileges.\u003c/li\u003e\n\u003cli\u003eExecution: sc.exe is used to start the modified or newly created service, triggering the execution of the malicious payload.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The adversary uses sc.exe combined with other tools (e.g., PsExec, WMI) to manage services on other systems in the network, facilitating lateral movement.\u003c/li\u003e\n\u003cli\u003eImpact: Depending on the adversary's objective, the final impact could range from data exfiltration to system encryption (ransomware), achieved through services manipulated with sc.exe.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via excessive \u003ccode\u003esc.exe\u003c/code\u003e usage can lead to significant disruption, including disabling critical security controls, escalating privileges, and enabling lateral movement across a network. Successful exploitation often results in malware deployment, data theft, or ransomware encryption. While specific victim numbers are not detailed in the source, the targeted sectors typically include organizations vulnerable to ransomware attacks. The impact of a successful attack includes data loss, financial damage, and reputational harm.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (EventCode 1) to capture \u003ccode\u003esc.exe\u003c/code\u003e executions for detection using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Excessive SC.exe Usage Detection\u0026quot; to your SIEM to detect anomalous \u003ccode\u003esc.exe\u003c/code\u003e activity and tune thresholds based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026quot;SC.exe Service Manipulation\u0026quot; to identify potential malicious service modifications.\u003c/li\u003e\n\u003cli\u003eFilter benign usage of \u003ccode\u003esc.exe\u003c/code\u003e using the \u0026quot;\u003ccode\u003eexcessive_usage_of_sc_service_utility_filter\u003c/code\u003e\u0026quot; macro, customizing it with known-good software that legitimately uses the utility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-excessive-sc-usage/","summary":"Detection of anomalous usage of sc.exe, often abused by ransomware and malware to manipulate services for privilege escalation or disabling security measures.","title":"Excessive Usage of SC Service Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-excessive-sc-usage/"},{"_cs_actors":["Multiple threat actors (Azorult","AgentTesla","NjRAT","XMRig","Crypto Stealer","BlankGrabber Stealer)"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["taskkill","defense-evasion","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the excessive use of \u003ccode\u003etaskkill.exe\u003c/code\u003e, a Windows command-line utility, by various threat actors to terminate processes on compromised systems. The observed behavior involves executing \u003ccode\u003etaskkill.exe\u003c/code\u003e more than ten times within a one-minute timeframe. This technique is employed to disable security software, terminate monitoring agents, and halt other critical processes that could hinder the attacker's objectives. The DFIR Report has documented similar tactics in SQL Server attacks, while Joe Sandbox analysis reveals the use of \u003ccode\u003etaskkill.exe\u003c/code\u003e in malicious payloads. Successful execution of this evasion tactic allows attackers to bypass security controls, maintain persistence, and potentially deploy further malicious payloads such as ransomware or data exfiltration tools. This behavior has been associated with multiple malware families including Azorult, AgentTesla, NjRAT, XMRig, Crypto Stealer and BlankGrabber Stealer.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through various means, such as exploiting vulnerabilities or social engineering techniques. (TA0001)\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and executes malicious code, either directly or through a dropper. (TA0002)\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates running processes to identify security tools, monitoring agents, or other critical processes to disable (T1057).\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003etaskkill.exe\u003c/code\u003e with appropriate arguments to terminate the identified processes. (T1562.001)\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the \u003ccode\u003etaskkill.exe\u003c/code\u003e command multiple times in a short period (more than 10 times within a minute) to ensure the targeted processes are terminated (T1562.001).\u003c/li\u003e\n\u003cli\u003eWith security tools disabled, the attacker proceeds to perform malicious activities, such as data exfiltration or lateral movement. (TA0007, TA0008)\u003c/li\u003e\n\u003cli\u003eThe attacker may install persistence mechanisms to maintain access to the compromised system, taking advantage of the disabled security controls. (TA0003)\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, ransomware deployment, or disruption of services. (TA0040)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to significant disruption and damage. Security tools being disabled results in the system becoming vulnerable to further attacks. Data exfiltration can lead to financial loss and reputational damage. Ransomware deployment can encrypt critical data, causing business interruption and financial loss. While exact victim numbers are unavailable, this technique is associated with multiple malware families, indicating widespread potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eExcessive Taskkill Execution Count\u003c/code\u003e to detect instances where \u003ccode\u003etaskkill.exe\u003c/code\u003e is executed excessively within a short timeframe.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line logging to capture the execution of \u003ccode\u003etaskkill.exe\u003c/code\u003e and its arguments, which is required for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eExcessive Taskkill Execution Count\u003c/code\u003e to determine the legitimacy of the \u003ccode\u003etaskkill.exe\u003c/code\u003e execution and identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eUse the provided Splunk search query to identify instances of excessive \u003ccode\u003etaskkill.exe\u003c/code\u003e usage in your environment and correlate with other security events to identify potential compromises.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of lateral movement if an attacker successfully disables security tools.\u003c/li\u003e\n\u003cli\u003eReview and harden endpoint security configurations to prevent attackers from easily disabling security tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-excessive-taskkill/","summary":"Adversaries use excessive calls to `taskkill.exe` (more than 10 times within a minute) to disable security tools or critical processes, evading detection and compromising systems.","title":"Excessive Taskkill Usage for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-excessive-taskkill/"}],"language":"en","title":"CraftedSignal Threat Feed - XMRig","version":"https://jsonfeed.org/version/1.1"}