{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/acrobat-dc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EdgeWebView","Acrobat DC","AMP","Symantec Endpoint Protection","Malwarebytes Anti-Exploit"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Adobe","Symantec","Malwarebytes"],"content_html":"\u003cp\u003eThis detection identifies suspicious process access events on Windows systems where a process attempts to access another process\u0026rsquo;s memory via direct system calls, bypassing standard Windows API calls. Endpoint security solutions often hook userland Windows APIs to detect malicious code execution. Attackers can evade these hooks by directly invoking syscalls, which are lower-level instructions that interact directly with the operating system kernel. The rule specifically looks for process access events (Sysmon Event ID 10) where the call trace does not originate from known Windows system DLLs like ntdll.dll, indicating a potential attempt to bypass security measures. The rule excludes certain legitimate applications, such as Malwarebytes Anti-Exploit, Cisco AMP, Microsoft EdgeWebView, and Adobe Acrobat DC, to reduce false positives. This technique is often employed by advanced malware and red teams to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious process is executed on the system, either through user interaction or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe process attempts to gain access to another process\u0026rsquo;s memory space (Target Process).\u003c/li\u003e\n\u003cli\u003eInstead of using standard Windows API calls, the malicious process directly invokes system calls (syscalls) to access the target process\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCallTrace\u003c/code\u003e in the Sysmon event does not originate from expected system DLLs like \u003ccode\u003entdll.dll\u003c/code\u003e, \u003ccode\u003esysfer.dll\u003c/code\u003e, \u003ccode\u003ewow64cpu.dll\u003c/code\u003e, \u003ccode\u003ewow64win.dll\u003c/code\u003e, or \u003ccode\u003ewin32u.dll\u003c/code\u003e, indicating a direct syscall.\u003c/li\u003e\n\u003cli\u003eThe process might attempt to read sensitive information such as credentials, inject malicious code, or manipulate the target process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe malicious process performs actions within the context of the target process, such as executing injected code or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised process to achieve their objectives, such as data exfiltration, lateral movement, or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker cleans up any traces of their activity and attempts to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data, the injection of malicious code into legitimate processes, and the complete takeover of the affected system. This can result in data breaches, financial loss, and reputational damage. The impact is especially significant if the target process holds sensitive credentials, browser secrets, or has security-product context.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access logging (Event ID 10) with call tracing and ingest the logs into your SIEM to activate the rules above (\u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003ehttps://ela.st/sysmon-event-10-setup\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect direct syscall process access.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the \u003ccode\u003eSourceImage\u003c/code\u003e, \u003ccode\u003eTargetImage\u003c/code\u003e, \u003ccode\u003eGrantedAccess\u003c/code\u003e, and \u003ccode\u003eCallTrace\u003c/code\u003e fields in the Sysmon event to determine the legitimacy of the process access attempt.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of alerts where the target process is \u003ccode\u003elsass.exe\u003c/code\u003e or other security-sensitive processes.\u003c/li\u003e\n\u003cli\u003eImplement robust endpoint detection and response (EDR) solutions to detect and prevent malicious activity on endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creation events originating from the flagged processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-direct-syscall-process-access/","summary":"Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.","title":"Suspicious Process Access via Direct System Call","url":"https://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office","EdgeWebView","Acrobat DC"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe"],"content_html":"\u003cp\u003eThis detection identifies potential process injection attempts, specifically process hollowing, by monitoring process creation events followed by memory access from unknown regions. The rule focuses on processes spawned by Microsoft Office applications (winword.exe, excel.exe, outlook.exe, powerpnt.exe), scripting engines (cscript.exe, wscript.exe, mshta.exe), and command-line tools (cmd.exe, powershell.exe, rundll32.exe, regsvr32.exe, wmic.exe, cmstp.exe, msxsl.exe). The logic looks for a spawned process by one of these applications/tools, followed by a process access event for an unknown memory region by the parent process, indicating a potential code injection attempt. Attackers use process injection to hide malicious activity within legitimate processes, evading detection and hindering forensic analysis. This technique is a common tactic used to establish persistence, escalate privileges, or execute malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document or executes a script.\u003c/li\u003e\n\u003cli\u003eThe Microsoft Office application (e.g., winword.exe) or scripting engine (e.g., wscript.exe) starts as a parent process.\u003c/li\u003e\n\u003cli\u003eThe parent process creates a new child process (e.g., a legitimate system executable).\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the newly created child process\u0026rsquo;s memory, often overwriting legitimate code sections.\u003c/li\u003e\n\u003cli\u003eThe parent process accesses the child process\u0026rsquo;s memory from an unknown code region, indicating the injected code. Sysmon event ID 10 captures this access.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the child process, performing malicious actions.\u003c/li\u003e\n\u003cli\u003eThese actions can include establishing persistence, downloading additional malware, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to mask their malicious activities within legitimate processes, making detection and attribution significantly harder. This can lead to prolonged infections, data breaches, and system compromise. The impact can range from individual workstation compromise to widespread organizational damage, depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role. The rule mitigates risks associated with advanced persistent threats (APTs) and commodity malware using process injection for defense evasion.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 10 (Process Access) to collect the necessary telemetry for this detection (\u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003eSysmon Event ID 1 - Process Creation\u003c/a\u003e, \u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003eSysmon Event ID 10 - Process Access\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Creation CallTrace\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious activities performed by the injected code.\u003c/li\u003e\n\u003cli\u003eConsider memory dumping the child process for further analysis, to examine if malicious code exists.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-suspicious-process-calltrace/","summary":"The rule identifies suspicious process creation where a process is created and immediately accessed from an unknown memory code region by the same parent process, indicating a potential code injection attempt, specifically process hollowing, commonly targeting processes spawned by Microsoft Office applications, scripting engines, and command-line tools for defense evasion.","title":"Suspicious Process Creation Followed by Memory Access from Unknown Region","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-process-calltrace/"}],"language":"en","title":"CraftedSignal Threat Feed — Acrobat DC","version":"https://jsonfeed.org/version/1.1"}