CrowdStrike Falcon — CraftedSignal Threat Feed

Remote Desktop File Opened from Suspicious Path

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

Attackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\Local\Temp), and Outlook content cache (INetCache\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.

Attack Chain

The attacker crafts a spearphishing email containing a malicious RDP file as an attachment.
The victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.
The victim double-clicks the RDP file, initiating the execution of mstsc.exe.
mstsc.exe reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.
mstsc.exe attempts to establish a remote desktop connection based on the RDP file’s settings.
If the connection is successful, the attacker gains unauthorized access to the remote system.
The attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.
The final objective could be data exfiltration, ransomware deployment, or establishing persistent access.

Impact

A successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker’s objectives and the scope of the compromised network.

Recommendation

Deploy the Sigma rule Remote Desktop File Opened from Suspicious Path to your SIEM and tune for your environment, focusing on the specified file paths and mstsc.exe execution.
Enable process creation logging with command-line arguments to capture the execution of mstsc.exe and the paths of the RDP files being opened.
Educate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.
Implement strict email filtering to block or quarantine emails with RDP attachments from external sources.
Monitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.

Netsh Helper DLL Persistence

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

The netsh.exe utility in Windows supports the addition of Helper DLLs to extend its functionality. An attacker can abuse this mechanism to establish persistence by adding a malicious DLL. When netsh.exe is executed, the malicious DLL is loaded and executed, allowing the attacker to run arbitrary code with the privileges of the user or process that initiated netsh.exe. This can be done by administrators or scheduled tasks, making it a stealthy and effective persistence technique. The registry key targeted by this technique is HKLM\Software\Microsoft\netsh\.

Attack Chain

Attacker gains initial access to the target system through unspecified means.
Attacker creates a malicious DLL to be used as a Netsh Helper DLL.
Attacker modifies the Windows Registry to add the malicious DLL as a Netsh Helper DLL under HKLM\Software\Microsoft\netsh\.
The system administrator or a scheduled task executes netsh.exe.
netsh.exe loads and executes the malicious DLL, granting the attacker code execution.
The malicious DLL performs its intended actions, such as establishing a reverse shell or deploying additional malware.
The attacker maintains persistence on the system through the malicious Netsh Helper DLL.

Impact

Successful exploitation allows attackers to establish persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. While the risk score is low, the persistence mechanism can allow attackers to maintain a foothold for extended periods, increasing the potential for significant damage.

Recommendation

Monitor registry modifications under the HKLM\Software\Microsoft\netsh\ path for suspicious DLL additions using the “Netsh Helper DLL Registry Modification” Sigma rule.
Enable Sysmon registry event logging to collect the necessary data for the Sigma rule.
Investigate any alerts generated by the Sigma rule by reviewing the DLL file properties, timestamps, and related processes.

Windows Backup Deletion via Wbadmin

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

Attackers, including ransomware groups, often attempt to remove or impair an organization’s ability to recover from an attack. One method to achieve this is by deleting Windows backup catalogs and system state backups using the wbadmin.exe utility. Windows Server Backup stores details about backups (what volumes are backed up and where the backups are located) in a backup catalog. Removing these catalogs renders backups unusable for recovery, increasing the impact of the attack. This technique is frequently observed in ransomware playbooks and other destructive attacks targeting Windows environments. This activity can be detected using endpoint detection and response (EDR) solutions, Windows Security Event Logs, and Sysmon.

Attack Chain

The attacker gains initial access to the system via phishing, exploiting a vulnerability, or using compromised credentials.
The attacker escalates privileges to administrator level to execute wbadmin.exe.
The attacker executes wbadmin.exe with the delete catalog command to remove backup catalogs.
The attacker executes wbadmin.exe with the delete systemstatebackup command to remove system state backups.
The attacker may also delete shadow copies using vssadmin.exe or wmic.exe to further hinder recovery.
The attacker deploys ransomware or initiates other destructive actions.
The attacker encrypts or destroys data on the system and connected network shares.
The attacker demands a ransom payment for data recovery, which is complicated by the deleted backups.

Impact

Successful deletion of backup catalogs and system state backups significantly impairs an organization’s ability to recover from a ransomware attack or other destructive event. This can lead to prolonged downtime, data loss, and financial losses associated with incident response and recovery efforts. While the number of direct victims of this specific technique is difficult to quantify, the impact is typically observed in conjunction with broader ransomware campaigns affecting organizations across various sectors.

Recommendation

Enable Sysmon process creation logging with Event ID 1 to capture wbadmin.exe executions and activate the first Sigma rule.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
Monitor Windows Security Event Logs for process creation events related to wbadmin.exe.
Investigate any instances of wbadmin.exe executing with delete arguments.
Review and harden account access controls to prevent unauthorized use of wbadmin.exe.

Suspicious Microsoft Antimalware Service Executable Execution

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances. Attackers may attempt to evade defenses through DLL side-loading or by masquerading as the antimalware process. This technique is used to blend in with legitimate system activity and avoid detection by security tools. This rule is designed to detect instances where MsMpEng.exe is executed from unexpected locations or has been renamed, potentially indicating malicious activity. The rule leverages process monitoring data to identify deviations from the expected execution patterns of the antimalware service. This behavior has been seen associated with ransomware attacks, such as REvil.

Attack Chain

An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
The attacker drops a malicious payload onto the system, placing it in a non-standard directory, such as a temporary folder or a user’s profile directory.
The attacker renames or copies the legitimate MsMpEng.exe to the malicious payload’s location.
The attacker executes the renamed or copied MsMpEng.exe from the non-standard location. This is intended to mimic legitimate activity and evade detection.
The malicious MsMpEng.exe then loads a malicious DLL through DLL side-loading, which executes arbitrary code within the context of the antimalware process.
The malicious code performs actions such as disabling security controls, escalating privileges, or establishing persistence.
The attacker leverages the compromised system to move laterally within the network, compromising additional systems.
The attacker achieves their final objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation can lead to complete system compromise, including the disabling of security controls, data theft, and ransomware deployment. This can result in significant financial losses, reputational damage, and disruption of business operations. Identifying and responding to this type of attack is critical to prevent further damage. The Sophos article references the REvil ransomware attack which impacted hundreds of businesses.

Recommendation

Enable Sysmon process creation logging (Event ID 1) to capture process execution events, including image path and command-line arguments, which are essential for detecting this behavior.
Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious MsMpEng.exe execution from unusual paths or renamed instances.
Investigate any alerts generated by these rules to determine the legitimacy of the MsMpEng.exe execution and identify any potential malicious activity.
Monitor process execution events for instances where the process name is “MsMpEng.exe” but the executable path is outside the standard Windows Defender or Microsoft Security Client directories.
Review the references provided for additional context and guidance on investigating this type of activity.

Persistence via WMI Event Subscription

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Windows Management Instrumentation (WMI) provides a powerful framework for managing Windows systems, but adversaries can abuse its capabilities to establish persistence. By creating WMI event subscriptions, attackers can execute arbitrary code in response to defined system events. This technique involves creating event filters, providers, consumers, and bindings that automatically run malicious code. This can be achieved through tools like wmic.exe, which allows the creation of event consumers such as ActiveScriptEventConsumer or CommandLineEventConsumer. Successful exploitation of WMI for persistence allows attackers to maintain unauthorized access to a compromised system, even after reboots or other system changes. This activity has been observed across various environments, highlighting the need for robust detection mechanisms to identify and prevent WMI-based persistence.

Attack Chain

An attacker gains initial access to a Windows system through unspecified means.
The attacker uses wmic.exe to create a WMI event filter that defines a specific event to monitor.
A WMI event consumer, such as ActiveScriptEventConsumer or CommandLineEventConsumer, is created using wmic.exe specifying the malicious code or script to execute when the event occurs.
A WMI binding is established between the event filter and the event consumer using wmic.exe, linking the event to the action.
The malicious WMI event subscription is activated, monitoring for the defined event.
When the specified event occurs, the WMI service triggers the execution of the associated malicious code or script through the event consumer.
The attacker gains persistent access to the system, as the WMI event subscription will re-activate after reboots.
The attacker can then perform additional malicious activities, such as lateral movement or data exfiltration.

Impact

Successful exploitation of WMI for persistence can allow an attacker to maintain long-term, unauthorized access to a compromised system. This can result in data theft, system compromise, and further malicious activities. While the exact number of victims is not specified in the source, the broad applicability of this technique means that many Windows systems are potentially at risk. If the attack succeeds, the attacker gains a foothold on the system that is difficult to detect and remove, which can lead to significant operational disruption and financial loss.

Recommendation

Enable process creation logging and monitor for wmic.exe with command-line arguments related to creating event consumers, specifically ActiveScriptEventConsumer or CommandLineEventConsumer, to trigger the Sigma rule “Detect Suspicious WMIC Process”.
Deploy the provided Sigma rule to your SIEM to detect suspicious WMI event subscription creation.
Review the investigation steps outlined in the provided documentation to triage and analyze potential WMI persistence attempts.
Monitor Windows Security Event Logs and Sysmon for events related to WMI activity for broader coverage.

Adding Hidden File Attribute via Attrib.exe

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

Attackers can add the ‘hidden’ attribute to files to hide them from the user in an attempt to evade detection. This technique involves using the attrib.exe utility to modify file attributes. By setting the hidden attribute, adversaries can conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it. This tactic is often employed post-compromise to maintain a stealthy presence within the target environment. Detection focuses on monitoring process executions that involve attrib.exe with command-line arguments indicating the modification of the hidden attribute. The rule is designed for data generated by Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.

Attack Chain

Initial Access: An attacker gains initial access to a Windows system through various means such as exploiting a vulnerability or using stolen credentials.
Privilege Escalation: The attacker escalates privileges to gain the necessary permissions to execute system utilities.
Defense Evasion: The attacker uses attrib.exe to modify the hidden attribute of a malicious file or directory. For example, attrib.exe +h C:\path\to\malicious\file.exe.
Concealment: The malicious file or directory is now hidden from normal directory listings, making it harder for users and administrators to detect.
Persistence: The attacker establishes persistence by hiding malicious scripts or executables in startup directories or scheduled tasks.
Lateral Movement: The attacker uses the hidden files to move laterally within the network, potentially using them as part of a larger attack campaign.

Impact

The impact of this attack includes prolonged attacker presence, increased difficulty in detecting malicious activity, and potential data exfiltration or system compromise. While the risk score is relatively low, the technique contributes to a broader attack chain and can significantly hinder incident response efforts. A successful hiding of artifacts might lead to further compromise, data breaches, or ransomware deployment.

Recommendation

Deploy the Sigma rule “Adding Hidden File Attribute via Attrib” to your SIEM to detect suspicious usage of attrib.exe.
Enable process creation logging with command line monitoring in Windows environments to ensure the Sigma rule can capture relevant events.
Investigate any alerts generated by the Sigma rule, focusing on the parent processes and target files to determine if the activity is legitimate.
Correlate detections of attrib.exe with other suspicious activities or alerts on the same host.
Implement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden attribute.