{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cisco-talos/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","CISCO Talos"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","smb","file-transfer","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","Cisco"],"content_html":"\u003cp\u003eThis detection rule identifies the potential transfer of malicious tools within a Windows environment using SMB shares. Attackers commonly leverage SMB shares to propagate malware, tools, or scripts to compromised systems for lateral movement. The rule focuses on detecting the creation or modification of executable files (e.g., .exe, .dll, .ps1) on network shares, which is a strong indicator of malicious activity. The rule leverages Elastic Defend data to detect this activity and can be used to identify systems that may be compromised. This technique is used to deploy additional payloads, credential dumpers, or other malicious tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies accessible SMB shares within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to connect to a target SMB share (port 445) on another system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies an executable file (e.g., malware, a credential dumping tool, or a PowerShell script) to the SMB share.\u003c/li\u003e\n\u003cli\u003eThe target system detects a new file creation or change event on the SMB share.\u003c/li\u003e\n\u003cli\u003eA user or process on the target system executes the transferred file.\u003c/li\u003e\n\u003cli\u003eThe executed file performs malicious actions on the target system, such as credential theft or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly compromised system to further expand their access within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to propagate malware or malicious tools throughout the network, leading to widespread compromise. Lateral movement enables attackers to access sensitive data, escalate privileges, and ultimately achieve their objectives, which may include data exfiltration, ransomware deployment, or system disruption. The rule aims to detect this activity early in the attack chain and mitigate potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious executable file creation/modification events on SMB shares.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend on all Windows endpoints to provide the necessary data for the detection rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process execution chain, file reputation, and user activity.\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file transfers.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 445 (SMB) for suspicious activity, especially connections originating from unusual source IPs (Sigma rule, log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lateral-tool-transfer-smb/","summary":"The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.","title":"Potential Lateral Tool Transfer via SMB Share","url":"https://feed.craftedsignal.io/briefs/2024-01-lateral-tool-transfer-smb/"}],"language":"en","title":"CraftedSignal Threat Feed — CISCO Talos","version":"https://jsonfeed.org/version/1.1"}