{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/crowdstrike/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon","Crowdstrike","SentinelOne Cloud Funnel","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["powershell","malware","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to download a malicious payload from a remote server using commands like \u003ccode\u003eDownloadFile\u003c/code\u003e or \u003ccode\u003eDownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.\u003c/li\u003e\n\u003cli\u003ePowerShell is then used to decode or deobfuscate the payload using methods like \u003ccode\u003e[Convert]::FromBase64String\u003c/code\u003e or \u003ccode\u003e[char[]](...) -join ''\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated payload is executed directly in memory using techniques like \u003ccode\u003eiex\u003c/code\u003e (Invoke-Expression) or \u003ccode\u003eReflection.Assembly.Load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use techniques like \u003ccode\u003eWebClient\u003c/code\u003e to download files from a remote URL.\u003c/li\u003e\n\u003cli\u003eCommands like \u003ccode\u003enslookup -q=txt\u003c/code\u003e are used for command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eContinuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-susp-powershell-args/","summary":"This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.","title":"Suspicious Windows PowerShell Arguments Detected","url":"https://feed.craftedsignal.io/briefs/2024-09-susp-powershell-args/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["lolbas","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThe Windows command line debugging utility, cdb.exe, is a legitimate tool used for debugging applications. However, adversaries can exploit it to execute unauthorized commands or shellcode, bypassing security measures. This can be achieved by running cdb.exe from non-standard installation paths and using specific command-line arguments to execute malicious commands. The LOLBAS project documents this technique, highlighting its potential for defense evasion. This activity has been observed across various environments, necessitating detection strategies that focus on identifying anomalous executions of cdb.exe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies cdb.exe to a non-standard location (outside \u0026ldquo;Program Files\u0026rdquo; and \u0026ldquo;Program Files (x86)\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker executes cdb.exe with the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, or \u003ccode\u003e-pd\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eThese arguments are used to specify a command file or execute a direct command.\u003c/li\u003e\n\u003cli\u003eThe command file or command directly executes malicious code, such as shellcode.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as creating new processes, modifying files, or establishing network connections.\u003c/li\u003e\n\u003cli\u003eThese actions allow the attacker to maintain persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to evade defenses and execute arbitrary code on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute arbitrary commands and shellcode on the affected system, potentially leading to complete system compromise. This can result in data theft, installation of malware, or further propagation within the network. The technique is effective at bypassing application whitelisting and other security controls that rely on standard execution paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution via Windows Command Debugging Utility\u0026rdquo; to your SIEM to detect suspicious cdb.exe executions (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent execution of cdb.exe from non-standard paths.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, and \u003ccode\u003e-pd\u003c/code\u003e flags when cdb.exe is executed.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of cdb.exe running from unusual directories to determine legitimacy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-cdb-execution/","summary":"Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.","title":"Suspicious Execution via Windows Command Debugging Utility","url":"https://feed.craftedsignal.io/briefs/2024-07-cdb-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["low"],"_cs_tags":["defense evasion","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Sysinternals SDelete utility is a legitimate tool developed by Microsoft for securely deleting files by overwriting and renaming them multiple times. While intended for secure data disposal, adversaries can abuse SDelete to remove forensic artifacts, destroy evidence of their activities, and impede data recovery efforts after a successful ransomware attack or data theft. This activity can be used as a post-exploitation technique. This detection rule focuses on identifying file name patterns indicative of SDelete\u0026rsquo;s operation, specifically detecting files with names resembling \u0026ldquo;*AAA.AAA\u0026rdquo;. The rule is designed to work with various endpoint detection and response solutions, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and CrowdStrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain the necessary permissions to delete files.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or utilizes an existing copy of the SDelete utility.\u003c/li\u003e\n\u003cli\u003eThe attacker executes SDelete against targeted files or directories.\u003c/li\u003e\n\u003cli\u003eSDelete overwrites the targeted file(s) multiple times with random data.\u003c/li\u003e\n\u003cli\u003eSDelete renames the file(s) multiple times, often with patterns such as \u0026ldquo;*AAA.AAA\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eSDelete deletes the file(s) making recovery difficult.\u003c/li\u003e\n\u003cli\u003eThe attacker removes SDelete or any associated tools to further cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can result in the permanent deletion of crucial forensic artifacts, log files, or even critical data. This can severely hinder incident response efforts, making it challenging to identify the scope of the attack, the attacker\u0026rsquo;s methods, and the compromised assets. The number of victims and affected sectors depends on the scale of the initial breach and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Secure File Deletion via SDelete Utility\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule, focusing on the process execution chain and identifying the user account involved.\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to the user account to ensure the least privilege principle is followed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to enhance visibility into file creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-28-sdelete-filename-rename/","summary":"This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.","title":"Potential Secure File Deletion via SDelete Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-28-sdelete-filename-rename/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Endgame","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe DNS Global Query Block List (GQBL) is a Windows security feature designed to prevent the resolution of specific DNS names, commonly exploited in attacks like WPAD spoofing. Attackers who have obtained elevated privileges, such as DNSAdmin, can modify or disable this list to bypass security controls. This allows exploitation of hosts running WPAD with default settings. The modification of the GQBL can be used for privilege escalation and lateral movement within a network. This rule detects changes to the registry values associated with the GQBL, specifically \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; and \u0026ldquo;GlobalQueryBlockList.\u0026rdquo; This activity could indicate an attacker attempting to weaken defenses to facilitate further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain DNSAdmin rights.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; registry value to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000,\u0026rdquo; effectively disabling the GQBL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u0026ldquo;GlobalQueryBlockList\u0026rdquo; registry value to remove \u0026ldquo;wpad\u0026rdquo; from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled GQBL to conduct WPAD spoofing attacks, redirecting network traffic to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker captures user credentials transmitted during WPAD authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or disabling of the DNS Global Query Block List can lead to WPAD spoofing attacks, credential theft, lateral movement, and ultimately, complete compromise of the network. Attackers can leverage this technique to gain unauthorized access to sensitive data or systems. The impact includes potential data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification of DNS Global Query Block List\u003c/code\u003e to your SIEM to detect unauthorized changes to the GQBL configuration.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary events for the Sigma rule to function (reference the logsource in the rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict DNSAdmin privileges to only necessary accounts to minimize the attack surface (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual DNS queries or WPAD-related activity, correlating with registry modification events (reference: Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eRegularly audit registry settings related to DNS configuration, including the GQBL, to identify unauthorized modifications (reference: Attack Chain steps 3 \u0026amp; 4).\u003c/li\u003e\n\u003cli\u003eUpdate security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List (reference: Impact section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-dns-gqbl-modified/","summary":"Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.","title":"DNS Global Query Block List Modified or Disabled","url":"https://feed.craftedsignal.io/briefs/2024-07-dns-gqbl-modified/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe \u0026ldquo;Office Test\u0026rdquo; registry key, located under \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e, is a legitimate feature that allows specifying a DLL to be executed every time an MS Office application is started. Attackers can abuse this functionality by modifying the registry to point to a malicious DLL, achieving persistence on a compromised host. This allows for continued malicious activity even after a system restart or user logout. Elastic has published a rule to detect this behavior. The modification of this registry key, excluding deletions, is a strong indicator of potential abuse, and can be detected via endpoint detection and response (EDR) solutions as well as traditional Sysmon logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, often through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a foothold and escalates privileges to make necessary registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e registry key, adding a new entry or modifying an existing one to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious DLL is present on the system, either by dropping it directly or using existing system tools to download it.\u003c/li\u003e\n\u003cli\u003eA user launches a Microsoft Office application (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the DLL specified in the \u0026ldquo;Office Test\u0026rdquo; registry key during startup.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes its payload, which could include establishing a reverse shell, installing malware, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence, allowing them to regain access to the system each time an Office application is started.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to a compromised system. The injected DLL can be used to execute arbitrary code, potentially leading to data theft, malware installation, or further compromise of the network. The relatively low risk score suggests a common technique, but the potential for persistent access makes it a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect unauthorized modifications to the \u0026ldquo;Office Test\u0026rdquo; registry key (\u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Registry event logging to capture registry modifications and activate the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for Office applications to detect if a suspicious DLL has been loaded or executed, as described in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for similar registry modifications across the network, as described in the remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T17:30:00Z","date_published":"2024-01-27T17:30:00Z","id":"/briefs/2024-01-office-test-registry-persistence/","summary":"Attackers modify the Microsoft Office 'Office Test' Registry key to achieve persistence by specifying a malicious DLL that executes upon application startup.","title":"Microsoft Office 'Office Test' Registry Persistence Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-office-test-registry-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies anomalous creation or modification of executable files by critical Windows system processes, like \u003ccode\u003esmss.exe\u003c/code\u003e, \u003ccode\u003ecsrss.exe\u003c/code\u003e, and \u003ccode\u003elsass.exe\u003c/code\u003e. Attackers may attempt to leverage these processes to evade detection, and the rule is designed to detect such activities. The rule leverages data from Elastic Defend, Microsoft Defender XDR, SentinelOne, CrowdStrike, and Sysmon. It provides investigation steps to help analysts triage and analyze potential incidents, focusing on the identity of the writing process, its lineage, and the characteristics of the written file. This rule is designed to detect potential remote code execution or other forms of exploitation targeting Windows systems. The rule logic excludes specific legitimate file paths to minimize false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a system critical process to create or modify an executable file.\u003c/li\u003e\n\u003cli\u003eThe created/modified file may be a backdoor, malware component, or a tool for further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the created executable to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created executable to perform lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution with elevated privileges. The number of victims is dependent on the scope of the initial compromise. The targeted sectors include any organization running vulnerable Windows systems. If the attack succeeds, the adversary can gain full control over the system, leading to data theft, system disruption, or further propagation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Unusual Executable File Creation by a System Critical Process\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to enhance detection capabilities (see setup instructions in the rule source).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the writing process\u0026rsquo;s identity, lineage, and the characteristics of the written file as detailed in the rule\u0026rsquo;s triage and analysis section.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with other endpoint and network activity to identify the scope of the potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-unusual-executable-file-creation/","summary":"The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.","title":"Unusual Executable File Creation by a System Critical Process","url":"https://feed.craftedsignal.io/briefs/2024-01-25-unusual-executable-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["execution","windows","scripting","archive"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers commonly use archive files (ZIP, RAR, 7z) to deliver malicious scripts, such as JScript and VBScript, to Windows systems. This technique allows them to bypass some initial security checks and deliver payloads that can execute arbitrary code. The \u0026ldquo;Windows Script Execution from Archive\u0026rdquo; detection identifies instances where Windows Script Host (wscript.exe) is launched from temporary directories containing extracted archive contents. This activity can indicate a user has opened a malicious archive, leading to potential malware execution. This detection focuses on the parent-child process relationship, where explorer.exe, winrar.exe, or 7zFM.exe spawns wscript.exe to execute scripts from the temp directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious archive file (e.g., ZIP, RAR, 7z) via email or downloads it from a website.\u003c/li\u003e\n\u003cli\u003eThe user opens the archive file using a file archiver tool like Explorer, WinRAR, or 7-Zip.\u003c/li\u003e\n\u003cli\u003eThe archiver extracts the contents, including a malicious JScript (.js) or VBScript (.vbs) file, to a temporary directory, such as \u003ccode\u003e\\Users\\*\\AppData\\Local\\Temp\\7z*\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user (or the archiver tool) inadvertently executes the extracted script using Windows Script Host (wscript.exe).\u003c/li\u003e\n\u003cli\u003eWscript.exe executes the malicious script, which may perform a variety of actions, such as downloading and executing additional payloads.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence via registry modification, adding a run key to execute upon system startup.\u003c/li\u003e\n\u003cli\u003eThe script connects to a command-and-control server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised system and begins lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can lead to arbitrary code execution on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. While the number of affected organizations is not specified, the technique is broadly applicable to any Windows environment where users handle archive files, potentially affecting numerous individuals and organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of wscript.exe and its arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Script Execution from Archive\u0026rdquo; to your SIEM to identify suspicious script execution patterns.\u003c/li\u003e\n\u003cli\u003eMonitor process activity for wscript.exe and other scripting engines executing from temporary directories.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint security solutions to block execution of scripts from common temporary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-script-exec-archive/","summary":"This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.","title":"Windows Script Execution from Archive File","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-archive/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eAdversaries may use masquerading techniques to evade defenses and blend into the environment by manipulating the name or location of a file, tricking users into executing malicious code disguised as a benign file type. This rule detects the creation of executable files with multiple extensions, a common method of masquerading. The rule focuses on identifying suspicious file creations that use misleading extensions, specifically targeting files with an \u0026ldquo;.exe\u0026rdquo; extension preceded by common benign extensions. It excludes known legitimate processes to minimize false positives. This activity is relevant for defenders to identify potential threats where adversaries attempt to bypass security measures by disguising malicious files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious executable file with a double extension (e.g., \u0026ldquo;document.pdf.exe\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user downloads or receives the file and attempts to open it.\u003c/li\u003e\n\u003cli\u003eWindows displays the file with the first extension (\u0026ldquo;document.pdf\u0026rdquo;) by default, misleading the user.\u003c/li\u003e\n\u003cli\u003eUpon execution, Windows recognizes the \u0026ldquo;.exe\u0026rdquo; extension and executes the file.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs, potentially deploying malware or performing other unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence or attempts lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware infection, data breaches, and system compromise. This technique bypasses common file type restrictions and user awareness, potentially affecting a wide range of users and systems. While the number of victims is not specified, the impact can be significant, particularly in organizations where users handle sensitive data. The affected sectors are broad, encompassing any organization where users are susceptible to social engineering attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Executable File Creation with Multiple Extensions\u0026rdquo; to your SIEM and tune for your environment to detect the creation of suspicious files with multiple extensions.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) for comprehensive file creation monitoring to improve the effectiveness of the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with double file extensions and encourage caution when opening attachments from unknown sources.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations that may create executables with multiple extensions to reduce false positives, as described in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-executable-file-creation-multiple-extensions/","summary":"Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.","title":"Executable File Creation with Multiple Extensions","url":"https://feed.craftedsignal.io/briefs/2024-01-executable-file-creation-multiple-extensions/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endgame","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","registry-dump","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to export registry hives containing sensitive credential information using the Windows \u003ccode\u003ereg.exe\u003c/code\u003e utility. Attackers may target the \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e hives to extract stored credentials, including password hashes and LSA secrets. The activity is often part of a broader credential access campaign. The rule focuses on detecting the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with specific arguments indicating an attempt to save or export these critical registry hives. The use of \u003ccode\u003ereg.exe\u003c/code\u003e makes this technique accessible to various threat actors, including ransomware groups and nation-state actors. Defenders need to monitor for this activity to prevent unauthorized credential access and potential lateral movement within the network. This rule specifically looks for \u0026ldquo;save\u0026rdquo; and \u0026ldquo;export\u0026rdquo; arguments targeting SAM and SECURITY hives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ereg.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereg.exe\u003c/code\u003e command includes arguments to save or export registry hives.\u003c/li\u003e\n\u003cli\u003eThe target registry hives are \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e, containing sensitive credential information.\u003c/li\u003e\n\u003cli\u003eThe exported registry hive is saved to a file on disk or a network share.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress or encrypt the exported registry hive to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported registry hive for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credential information from the registry hive, such as password hashes and LSA secrets, to use in lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to acquire sensitive credentials stored within the registry. This can lead to lateral movement within the network, privilege escalation, and ultimately, data exfiltration or system compromise. Compromised credentials can be used to access critical systems and data, causing significant damage to the organization. The impact is considered high due to the potential for widespread access and control over the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation auditing with command line arguments to capture the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with relevant arguments. (\u003ca href=\"https://ela.st/audit-process-creation\"\u003eData Source: Windows Security Event Logs, Sysmon\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Registry Hive Export via Reg.exe\u003c/code\u003e to your SIEM to detect the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with arguments indicative of registry hive dumping.\u003c/li\u003e\n\u003cli\u003eImplement access controls and monitor file system activity to detect unauthorized access or modification of registry hive files.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003ereg.exe\u003c/code\u003e to authorized personnel and processes.\u003c/li\u003e\n\u003cli\u003eMonitor for parent processes of \u003ccode\u003ereg.exe\u003c/code\u003e that are unusual or unexpected, which might indicate malicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the process command line, parent process, and destination of the exported registry hive.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-registry-hive-dump/","summary":"Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.","title":"Credential Acquisition via Registry Hive Dumping","url":"https://feed.craftedsignal.io/briefs/2024-01-24-registry-hive-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft HTML Help system","Elastic Defend","Microsoft Defender XDR","Sysmon","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","compiled-html","windows","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers are known to deliver malicious payloads within compiled HTML files (.chm) to bypass security measures and gain initial access to systems. This technique leverages the Microsoft HTML Help system and its associated executable, hh.exe, to proxy the execution of malicious code. Compiled HTML files can contain various types of content, including HTML documents, images, and scripting languages like VBA, JScript, Java, and ActiveX. By embedding malicious scripts or executables within a .chm file, attackers can trick users into executing them when they open the file. This is particularly effective because hh.exe is a signed binary, which may allow it to bypass certain security controls. The scope of this technique affects Windows systems where the HTML Help system is installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .chm file containing embedded malicious code, such as a PowerShell script or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the .chm file to the victim via social engineering, such as phishing or malicious websites.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .chm file, causing hh.exe to launch.\u003c/li\u003e\n\u003cli\u003ehh.exe processes the .chm file, rendering its content, which includes the embedded malicious script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, often spawning a scripting interpreter like \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe scripting interpreter executes commands to download additional payloads or perform malicious actions on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and moves laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, code execution, and potentially full system compromise. This can result in data theft, malware installation, and further lateral movement within the network. The severity and impact depend on the permissions of the user running hh.exe and the nature of the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Compiled HTML File Spawning Suspicious Processes\u0026rdquo; to your SIEM to detect instances where \u003ccode\u003ehh.exe\u003c/code\u003e is the parent process of scripting interpreters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process execution chains for unknown processes originating from \u003ccode\u003ehh.exe\u003c/code\u003e, as mentioned in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement email filtering and security awareness training to prevent users from opening malicious .chm files delivered via phishing.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted executables in the environment to reduce the risk of malicious code execution.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to detect and respond to malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-compiled-html-execution/","summary":"Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.","title":"Process Activity via Compiled HTML File Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["credential-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies the creation of symbolic links to shadow copies on Windows systems. Attackers use this technique to gain access to sensitive files stored within shadow copies, including the ntds.dit file (containing password hashes), system boot keys, and browser offline credentials. This approach allows them to bypass normal file access controls and extract credentials for lateral movement or privilege escalation. The detection rule is designed to ingest data from various sources, including Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs, providing broad coverage across different endpoint security solutions. The activity is typically initiated by command-line tools like cmd.exe or powershell.exe, making detection through process monitoring feasible. This technique is particularly relevant as it targets credential dumping, a critical stage in many attack campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative rights, which are required to create shadow copies and symbolic links.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a volume shadow copy using \u003ccode\u003evssadmin.exe\u003c/code\u003e or similar tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emklink\u003c/code\u003e command or PowerShell \u003ccode\u003eNew-Item -ItemType SymbolicLink\u003c/code\u003e to create a symbolic link to the shadow copy path.\u003c/li\u003e\n\u003cli\u003eThe symbolic link points to a directory within the shadow copy containing sensitive files like \u003ccode\u003entds.dit\u003c/code\u003e or browser credential stores.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the targeted sensitive files (e.g., \u003ccode\u003entds.dit\u003c/code\u003e) from the shadow copy using the symbolic link.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the shadow copy to cover their tracks, although the symbolic link creation remains as evidence.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials from the copied \u003ccode\u003entds.dit\u003c/code\u003e file offline for use in lateral movement or further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to sensitive credentials stored on the compromised system. This can lead to lateral movement within the network, privilege escalation, and ultimately, the compromise of critical assets. If the \u003ccode\u003entds.dit\u003c/code\u003e file is accessed, the entire Active Directory domain could be at risk, potentially affecting thousands of users and systems. This type of attack is particularly damaging as it allows attackers to operate undetected for extended periods while they harvest credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Symbolic Link to Shadow Copy Created via Cmd\u0026rdquo; to detect the creation of symbolic links to shadow copies via \u003ccode\u003ecmd.exe\u003c/code\u003e (rules).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Symbolic Link to Shadow Copy Created via PowerShell\u0026rdquo; to detect the creation of symbolic links to shadow copies via \u003ccode\u003epowershell.exe\u003c/code\u003e (rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) logging to provide necessary data for the Sigma rules to function correctly (setup).\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;Investigating Symbolic Link to Shadow Copy Created\u0026rdquo; section in the rule\u0026rsquo;s notes for triage and analysis steps when the rule triggers.\u003c/li\u003e\n\u003cli\u003eMonitor for the usage of \u003ccode\u003emklink\u003c/code\u003e command with the \u003ccode\u003eHarddiskVolumeShadowCopy\u003c/code\u003e argument in process command lines.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-shadow-copy-symlink/","summary":"Adversaries may create symbolic links to shadow copies to access sensitive files such as ntds.dit and browser credentials, enabling credential dumping using cmd.exe or powershell.exe.","title":"Symbolic Link Creation to Shadow Copies for Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-01-shadow-copy-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","mimikatz","memssp","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the creation of the \u003ccode\u003emimilsa.log\u003c/code\u003e file, a default log generated by the Mimikatz \u003ccode\u003emisc::memssp\u003c/code\u003e module. The \u003ccode\u003emisc::memssp\u003c/code\u003e module injects a malicious Security Support Provider (SSP) into the Local Security Authority Subsystem Service (LSASS) process. This injected SSP logs credentials from subsequent logons to the compromised host, allowing attackers to capture sensitive information. The creation of this log file is a strong indicator of credential access attempts and the potential compromise of user accounts and system security. This rule is designed for data generated by Elastic Defend and also supports data from CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Mimikatz or a similar tool with the \u003ccode\u003emisc::memssp\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMimikatz injects a malicious SSP library (e.g., \u003ccode\u003emimilib.dll\u003c/code\u003e) into the LSASS process (\u003ccode\u003elsass.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected SSP hooks into the authentication process.\u003c/li\u003e\n\u003cli\u003eWhen users log on to the system, the SSP captures their credentials.\u003c/li\u003e\n\u003cli\u003eThe captured credentials are written to the \u003ccode\u003emimilsa.log\u003c/code\u003e file, typically located in \u003ccode\u003eC:\\Windows\\System32\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003emimilsa.log\u003c/code\u003e file to obtain the captured credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to escalate privileges, move laterally within the network, and access sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Mimikatz MemSSP attack can lead to the compromise of user accounts, including those with administrative privileges. This allows attackers to gain unauthorized access to sensitive data, systems, and resources within the organization. Lateral movement becomes easier, potentially impacting a large number of systems. The compromised credentials can also be used for external attacks, such as gaining access to cloud services or other external resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMimikatz Memssp Log File Detected\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging to detect the creation of \u003ccode\u003emimilsa.log\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process that created the log file and any subsequent file access.\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of \u003ccode\u003emimilib.dll\u003c/code\u003e and any LSA Security Packages registry modifications, as these may indicate persistent SSP installation.\u003c/li\u003e\n\u003cli\u003eReview and restrict interactive logons to high-value hosts to minimize the potential for credential theft.\u003c/li\u003e\n\u003cli\u003eInvestigate related alerts for the same \u003ccode\u003ehost.id\u003c/code\u003e in the last 48 hours covering delivery, privilege escalation, LSASS access, persistence, lateral movement, or additional credential access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-mimikatz-memssp-log/","summary":"This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.","title":"Mimikatz MemSSP Log File Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-mimikatz-memssp-log/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","wsl","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","CrowdStrike"],"content_html":"\u003cp\u003eAttackers may enable the Windows Subsystem for Linux (WSL) to run Linux applications and tools directly on Windows, potentially bypassing security controls and hindering detection. This involves using the Dism.exe utility to enable the \u0026ldquo;Microsoft-Windows-Subsystem-Linux\u0026rdquo; feature. By leveraging WSL, adversaries can execute malicious code, access Windows resources, and perform various malicious activities while blending in with legitimate system processes. The use of WSL provides an environment where traditional Windows-based security solutions may have limited visibility, thus offering a way to evade detection. This activity has been observed as a post-exploitation technique, used after initial access to a compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes Dism.exe (Deployment Image Servicing and Management tool).\u003c/li\u003e\n\u003cli\u003eDism.exe is invoked with the command-line argument to enable the \u0026ldquo;Microsoft-Windows-Subsystem-Linux\u0026rdquo; feature.\u003c/li\u003e\n\u003cli\u003eThe system processes the Dism.exe command and enables WSL.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a Linux distribution (e.g., Ubuntu, Kali) within the WSL environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the WSL environment to execute Linux-based tools and scripts for reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the WSL environment to interact with Windows resources or execute Windows commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing sensitive data or establishing persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enablement of WSL can lead to a compromised Windows system being used as a platform for Linux-based attacks. This can result in data theft, system compromise, and further propagation of malicious activity within the network. The use of WSL can make it difficult to detect malicious activity since it allows attackers to blend Linux-based attacks with normal Windows operations. The lack of visibility into the WSL environment by traditional Windows security tools can lead to prolonged periods of undetected malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003eDism.exe\u003c/code\u003e with command-line arguments that include \u003ccode\u003eMicrosoft-Windows-Subsystem-Linux\u003c/code\u003e to detect WSL enablement attempts (see Sigma rule \u003ccode\u003eDetect WSL Enablement via Dism\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed command-line information for processes, which is crucial for detecting this activity (Sysmon Event ID 1).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious usage of the DISM utility to enable WSL. Tune the rule based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eDetect WSL Enablement via Dism\u003c/code\u003e to determine the legitimacy of the activity.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from WSL processes for suspicious outbound traffic.\u003c/li\u003e\n\u003cli\u003eConsider blocking the execution of Dism.exe if WSL is not a sanctioned tool in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-enabled-via-dism/","summary":"Adversaries may enable and use Windows Subsystem for Linux (WSL) using the Microsoft Dism utility to evade detection on Windows systems by running Linux applications and tools.","title":"Windows Subsystem for Linux Enabled via Dism Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-enabled-via-dism/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers can leverage the \u003ccode\u003enetsh.exe\u003c/code\u003e utility to modify Windows Firewall settings, specifically enabling Network Discovery. This setting allows a host to broadcast its presence and services, making it easier for attackers to identify potential targets within the network for lateral movement. The behavior is often a post-exploitation technique to weaken host-based defenses after gaining initial access. The modification uses netsh.exe, a command-line scripting utility for managing network configurations. This activity can be easily scripted and automated, making it a common step in reconnaissance and lateral movement playbooks. Defenders should monitor for unauthorized use of \u003ccode\u003enetsh.exe\u003c/code\u003e to modify firewall settings.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Windows host.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e is used to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe specific command executed enables Network Discovery using the \u003ccode\u003enetsh advfirewall firewall set rule group=\u0026quot;Network Discovery\u0026quot; new enable=Yes\u003c/code\u003e syntax.\u003c/li\u003e\n\u003cli\u003eThe firewall rule group \u0026ldquo;Network Discovery\u0026rdquo; is modified to allow inbound and outbound traffic.\u003c/li\u003e\n\u003cli\u003eThe compromised host begins sending out broadcast messages, advertising its presence and services on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the information gathered to identify other vulnerable systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems based on the discovery information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to easily enumerate and identify other vulnerable systems within the network. This can lead to rapid lateral movement, further compromising the environment. The risk is heightened when the compromised host has access to sensitive data or critical systems. There is no specific victim count or sector targeted mentioned in the provided source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Enable Host Network Discovery via Netsh\u0026rdquo; to your SIEM to detect the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to enable network discovery (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable Windows Firewall logging and monitor for changes to firewall rules, specifically those related to Network Discovery.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel and systems only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-enable-network-discovery/","summary":"Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.","title":"Windows Host Network Discovery Enabled via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-enable-network-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","CrowdStrike","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","firewall","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often attempt to disable or modify system firewalls to evade network restrictions and facilitate lateral movement within a compromised environment. The Windows Firewall, a built-in component, provides host-based traffic filtering. Disabling it allows unrestricted communication, aiding command and control activities and hindering detection efforts. This activity is commonly achieved through PowerShell, leveraging cmdlets like \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e. The rule focuses on detecting the use of this specific cmdlet to disable the Windows Firewall, alerting defenders to potential defense evasion attempts. This technique is valuable to attackers across various attack vectors, especially after initial access has been established.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through methods such as phishing or exploiting a vulnerability in a network-facing application.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if necessary): The attacker escalates privileges to gain the necessary permissions to modify firewall settings.\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker executes PowerShell, either through an interactive session or a script.\u003c/li\u003e\n\u003cli\u003eDisable Firewall Profile: The attacker uses the \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e cmdlet with parameters such as \u003ccode\u003e-Enabled False\u003c/code\u003e to disable the firewall for all, public, domain, or private profiles.\u003c/li\u003e\n\u003cli\u003eNetwork Reconnaissance: With the firewall disabled, the attacker performs network reconnaissance to identify valuable assets and potential lateral movement paths.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker moves laterally to other systems on the network, exploiting trust relationships or vulnerabilities.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes command and control channels to communicate with compromised systems and exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or continues to exploit the environment based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of the Windows Firewall can lead to unrestricted lateral movement within a network, allowing attackers to compromise additional systems and exfiltrate sensitive data. This can result in data breaches, financial losses, and reputational damage. While the source does not specify the number of affected organizations, any environment relying on Windows Firewall for network segmentation is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the use of \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e with the \u003ccode\u003e-Enabled False\u003c/code\u003e parameter (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows endpoints to capture PowerShell executions (reference the logsource in the Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the firewall modification activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to limit the number of users with permissions to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional network segmentation and monitoring controls to detect and prevent lateral movement even if the Windows Firewall is disabled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-firewall-disable/","summary":"Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.","title":"Windows Firewall Disabled via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-firewall-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to evade detection by modifying Windows Defender\u0026rsquo;s configuration to exclude specific files, folders, or processes from scanning. This is often achieved by using PowerShell commands to add exclusions. The tactic allows malware to operate without being detected by the built-in antivirus solution. Observed as early as 2018 with Trickbot disabling Windows Defender, this technique remains relevant today. This activity can be performed using \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e commands in PowerShell, specifying exclusions by path or process name. Detecting these modifications is critical for maintaining the integrity of endpoint security. The scope of targeting ranges from individual workstations to entire networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via an undisclosed method.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e cmdlet to add an exclusion.\u003c/li\u003e\n\u003cli\u003eThe exclusion specifies a file path, folder, or process that should be ignored by Windows Defender.\u003c/li\u003e\n\u003cli\u003eWindows Defender is reconfigured to ignore the specified item.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or executes malware in the excluded location.\u003c/li\u003e\n\u003cli\u003eThe malware operates without interference from Windows Defender.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to operate undetected on compromised systems, leading to potential data breaches, lateral movement within the network, and deployment of ransomware. While the exact number of victims is unknown, this technique is widely used by various threat actors, impacting organizations across various sectors. The lack of detection can lead to prolonged periods of compromise, increasing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Windows Defender Exclusions Added via PowerShell\u0026rdquo; to your SIEM to detect suspicious PowerShell commands used to add exclusions.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line auditing to capture the necessary event data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly review Windows Defender exclusion lists to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell process that uses \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e with exclusion parameters, as identified by the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for processes and file modifications within excluded directories.\u003c/li\u003e\n\u003cli\u003eConfigure alerts to notify security teams when new Windows Defender exclusions are added.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-exclusion-powershell/","summary":"Adversaries may attempt to bypass Windows Defender's capabilities by using PowerShell to add exclusions for folders or processes, and this activity can be detected by monitoring PowerShell command lines that use `Add-MpPreference` or `Set-MpPreference` with exclusion parameters.","title":"Windows Defender Exclusions Added via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-exclusion-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Elastic Endgame","Windows Security Event Logs","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["execution","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike"],"content_html":"\u003cp\u003eThe rule detects suspicious usage of \u003ccode\u003emofcomp.exe\u003c/code\u003e, a command-line tool used to compile Managed Object Format (MOF) files. Attackers can abuse MOF files to manipulate the Windows Management Instrumentation (WMI) repository by building malicious WMI scripts for persistence or execution. This can be achieved by creating their own namespaces and classes within WMI or establishing persistence through WMI Event Subscriptions. The rule identifies unusual mofcomp.exe activity by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes like \u003ccode\u003eScenarioEngine.exe\u003c/code\u003e and system accounts (\u003ccode\u003eS-1-5-18\u003c/code\u003e). This detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, Crowdstrike, and Windows Security Event Logs. The rule aims to detect potential misuse of WMI for malicious purposes, enhancing the visibility of attacker techniques for execution and persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious MOF file to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emofcomp.exe\u003c/code\u003e to compile the malicious MOF file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emofcomp.exe\u003c/code\u003e processes the MOF file, creating new namespaces and classes or modifying existing ones in the WMI repository.\u003c/li\u003e\n\u003cli\u003eIf the MOF file creates a WMI Event Subscription, it triggers the execution of a malicious script or binary when a specific event occurs.\u003c/li\u003e\n\u003cli\u003eThe malicious script or binary executes, performing actions such as installing malware, creating backdoors, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence through the WMI Event Subscription, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via malicious MOF files can lead to persistent access, code execution, and system compromise. Attackers can use this technique to install malware, create backdoors, or steal sensitive data. The rule aims to detect early stages of such attacks, preventing significant damage. By establishing persistence, attackers can maintain long-term control over the compromised system, evading traditional detection methods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious \u003ccode\u003emofcomp.exe\u003c/code\u003e activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and command-line auditing on Windows systems to capture necessary events for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on unusual MOF file paths, parent processes, and user accounts.\u003c/li\u003e\n\u003cli\u003eReview and monitor WMI namespaces and classes for unauthorized modifications or additions following any detected suspicious \u003ccode\u003emofcomp.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mofcomp-activity/","summary":"This rule detects suspicious mofcomp.exe activity, which attackers may leverage MOF files to manipulate the Windows Management Instrumentation (WMI) repository for execution and persistence by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes and system accounts.","title":"Suspicious Mofcomp Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-mofcomp-activity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Work Folders","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eWindows Work Folders is a Microsoft file server role that allows users to sync work files between their PCs and a central server. The WorkFolders.exe process, when called, will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share. Attackers can abuse this functionality by placing a malicious executable renamed to control.exe in a location synced by Work Folders, and then triggering WorkFolders.exe. This can lead to the execution of arbitrary code in a manner that bypasses application control policies, as WorkFolders.exe is a signed Microsoft binary. This technique has been observed in the wild and documented by security researchers. This allows attackers to execute code from locations outside the standard Windows directories, evading traditional detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through an unspecified means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious executable and renames it to \u003ccode\u003econtrol.exe\u003c/code\u003e in a directory accessible to Work Folders.\u003c/li\u003e\n\u003cli\u003eThe attacker configures Windows Work Folders to synchronize the directory containing the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim system synchronizes with the Work Folders server, copying the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e to the local machine.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the \u003ccode\u003eWorkFolders.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWorkFolders.exe\u003c/code\u003e executes the \u003ccode\u003econtrol.exe\u003c/code\u003e binary from the synced folder.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003econtrol.exe\u003c/code\u003e executes, performing attacker-defined actions such as establishing persistence, escalating privileges, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution in a potentially elevated context, leveraging a signed Microsoft binary (\u003ccode\u003eWorkFolders.exe\u003c/code\u003e) to bypass security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on a victim\u0026rsquo;s machine, potentially bypassing application control and other security measures. This can lead to a range of malicious activities, including data theft, system compromise, and lateral movement within the network. Given the legitimate use of Work Folders, identifying malicious executions can be challenging, potentially allowing attackers to maintain a persistent foothold. The lack of specific victim counts or industry targeting details in the source material limits a complete assessment of impact scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations where \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is the parent process and \u003ccode\u003econtrol.exe\u003c/code\u003e is the child process, but \u003ccode\u003econtrol.exe\u003c/code\u003e is not located in a standard Windows system directory (Sigma rule: \u0026ldquo;Detect Suspicious WorkFolders Control Execution\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003econtrol.exe\u003c/code\u003e is executed from unusual or user-writable locations, especially if \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is involved (see Attack Chain step 6).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) on Windows systems to capture the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview the Microsoft documentation on Windows Information Protection (WIP) and consider implementing it to encrypt data on PCs using Work Folders.\u003c/li\u003e\n\u003cli\u003eImplement application control policies that restrict the execution of \u003ccode\u003econtrol.exe\u003c/code\u003e to authorized locations (e.g., \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-workfolders-control-execution/","summary":"Attackers can abuse Windows Work Folders to execute a masqueraded control.exe file from untrusted locations, potentially bypassing application controls for defense evasion and privilege escalation.","title":"Signed Proxy Execution via MS Work Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-03-workfolders-control-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","appcert-dll"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe rule detects attempts to maintain persistence by creating or modifying registry keys associated with AppCert DLLs on Windows systems. AppCert DLLs are loaded by every process that uses common API functions to create processes, making them a viable target for persistence. Adversaries can exploit this by inserting malicious DLL paths into the registry, ensuring their code executes persistently across system reboots. This technique is often used for privilege escalation and persistence. The rule specifically looks for changes in the registry path \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*\u003c/code\u003e, as well as the equivalent \u003ccode\u003e\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\...\u003c/code\u003e path. This activity matters because it can lead to stealthy and persistent malware infections. The rule is designed for use with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Crowdstrike, and Sysmon. The detection logic was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains necessary privileges to modify the Windows Registry, potentially requiring administrator rights.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a registry key under \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*\u003c/code\u003e to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is placed on the file system, often in a location that appears legitimate or is easily accessible.\u003c/li\u003e\n\u003cli\u003eAny process that uses the standard Windows API to create new processes will load the specified DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes its payload, which could include establishing persistence, injecting into other processes, or performing other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious DLL is loaded every time a new process is created.\u003c/li\u003e\n\u003cli\u003eThe final objective is to maintain long-term access to the compromised system, potentially escalating privileges and moving laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistent code execution on the system. This can lead to complete system compromise, data theft, or further propagation of malware within the network. The use of AppCert DLLs allows the malicious code to run in the context of nearly every process, making detection and removal more challenging. Without proper detection and response mechanisms, an attacker can maintain control of the system indefinitely.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging and configure it to monitor the relevant AppCertDLLs registry paths to capture the necessary events for the rules (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect AppCert DLL Registry Modification\u003c/code\u003e to your SIEM to detect unauthorized modifications to the AppCertDLLs registry keys (Rule: Detect AppCert DLL Registry Modification).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule \u003ccode\u003eDetect AppCert DLL Registry Modification\u003c/code\u003e to determine the legitimacy of the registry modifications, using the provided triage steps as a guide.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for malicious DLLs located in the file system using updated antivirus and anti-malware tools, focusing on DLLs referenced in the AppCertDLLs registry keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-appcert-dll-persistence/","summary":"Detection of registry modifications related to AppCert DLLs, a persistence mechanism where malicious DLLs are loaded by every process using common API functions.","title":"Registry Persistence via AppCert DLL Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-appcert-dll-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["credential-access","webdav","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can exploit WebDAV by injecting WebDAV paths into files or features opened by a victim user, leading to NTLM credential leakage through forced authentication. This technique relies on the victim\u0026rsquo;s system attempting to authenticate against a malicious WebDAV server when accessing a file or link containing a WebDAV path. This threat is particularly relevant for defenders because it can lead to unauthorized access to sensitive information and potential lateral movement within the network. The attack leverages \u003ccode\u003erundll32.exe\u003c/code\u003e to initiate the WebDAV connection, making it difficult to distinguish from legitimate system processes. The Elastic detection rule identifies rare WebDAV connection attempts to uncover potential credential access attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious document or link containing a WebDAV path.\u003c/li\u003e\n\u003cli\u003eThe victim user opens the malicious document or clicks the link.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to resolve the WebDAV path using \u003ccode\u003erundll32.exe\u003c/code\u003e and the \u003ccode\u003eDavSetCookie\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe system initiates an authentication attempt with the malicious WebDAV server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the NTLM credentials during the authentication handshake.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the captured NTLM credentials to access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise and potential lateral movement within the victim\u0026rsquo;s network. An attacker could gain unauthorized access to sensitive data and systems, potentially leading to data exfiltration, system compromise, or further attacks. This can impact organizations of any size and industry that rely on NTLM authentication. The severity depends on the user\u0026rsquo;s permissions and the resources they can access with their compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect suspicious WebDAV connections initiated via \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on rare or unusual WebDAV destinations.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003erundll32.exe\u003c/code\u003e with command-line arguments containing \u0026ldquo;DavSetCookie\u0026rdquo;, focusing on connections to external domains.\u003c/li\u003e\n\u003cli\u003eConduct regular security awareness training to educate users about the risks of opening unsolicited documents or clicking suspicious links.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rare-webdav/","summary":"This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.","title":"Rare Connection to WebDAV Target via Rundll32","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-webdav/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange Server","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["exchange","activesync","powershell","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the use of the Exchange PowerShell cmdlet, \u003ccode\u003eSet-CASMailbox\u003c/code\u003e, to add a new ActiveSync allowed device. Attackers may target user email to collect sensitive information by adding unauthorized devices to a user\u0026rsquo;s allowed ActiveSync devices. The rule focuses on detecting suspicious PowerShell activity by monitoring for specific command patterns indicative of unauthorized device additions. This activity can lead to persistent access to sensitive email data, bypassing normal authentication controls. The original Elastic detection rule was created on 2020/12/15 and updated on 2026/05/04. This matters for defenders because it highlights a persistence mechanism that can be difficult to detect through traditional means.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a privileged account with Exchange management permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute the \u003ccode\u003eSet-CASMailbox\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e attribute for a target user\u0026rsquo;s mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a rogue device ID to the list of allowed devices.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a mobile device with the rogue device ID to synchronize with the target mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the target user\u0026rsquo;s email, calendar, and contacts.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence even after password changes by continuing to synchronize via the added device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive email data, including confidential communications, financial information, and personal data. This can result in data breaches, compliance violations, and reputational damage. The scope of the impact depends on the privileges of the compromised account and the sensitivity of the data contained in the targeted mailboxes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eActiveSyncAllowedDeviceID Added via PowerShell\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture PowerShell commands for the rule above.\u003c/li\u003e\n\u003cli\u003eReview Exchange audit logs for instances of \u003ccode\u003eSet-CASMailbox\u003c/code\u003e being used to modify \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all accounts, especially those with Exchange management privileges.\u003c/li\u003e\n\u003cli\u003eRegularly audit ActiveSync device configurations to identify unauthorized devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-activesync-device-added/","summary":"The rule detects the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially allowing attackers to gain persistent access to sensitive email data by adding unauthorized devices.","title":"New ActiveSync Allowed Device Added via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-activesync-device-added/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used by developers to build applications. However, adversaries are known to abuse MSBuild to execute malicious code, leveraging its trusted status to bypass security measures. This technique allows attackers to perform various actions on compromised systems while blending in with legitimate system activity. The observed behavior involves MSBuild being started by system processes like Explorer (explorer.exe) or Windows Management Instrumentation (WMI, wmiprvse.exe). Defenders should be aware of this unusual activity as it signifies a potential defense evasion tactic and unauthorized code execution within the targeted environment. This activity has been observed across environments leveraging Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, CrowdStrike, and standard Windows event logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script or payload that invokes MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eThe script or payload is executed by a system process like explorer.exe or wmiprvse.exe, which is highly unusual for typical MSBuild usage.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe starts with specific command-line arguments that dictate the build process, often involving malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code is embedded within an MSBuild project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild.exe executes the malicious code as part of the build process.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining remote access, exfiltrating data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a variety of negative outcomes, including unauthorized code execution, system compromise, data theft, and potentially complete system takeover. The use of MSBuild as a proxy execution method allows attackers to evade traditional security controls and blend in with legitimate system activities. This can result in delayed detection and increased dwell time, amplifying the potential damage. Since MSBuild is a trusted Microsoft utility, its abuse can make malicious activity harder to identify and respond to.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by a System Process\u0026rdquo; to your SIEM to detect instances of MSBuild.exe being launched by explorer.exe or wmiprvse.exe (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of MSBuild.exe executions (reference setup instructions in the source URL).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild.exe started by explorer.exe or wmiprvse.exe to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.\u003c/li\u003e\n\u003cli\u003eReview and whitelist any legitimate scripts or administrative tools that leverage MSBuild for authorized tasks to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-msbuild-system-process/","summary":"Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.","title":"MSBuild Started by System Process for Defense Evasion and Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-system-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies Windows Registry modifications used to conceal encoded portable executables, a tactic employed by adversaries to evade traditional disk-based detection mechanisms. The rule focuses on detecting registry entries with data strings that match known encoded executable patterns. This technique allows attackers to store malicious code within the registry, making it more difficult to detect using standard file-based scanning methods. The rule is designed to work with Elastic Defend, but also supports data from third-party EDR solutions, including CrowdStrike, Microsoft Defender XDR, and SentinelOne. The detection logic focuses on identifying registry entries with data resembling encoded executables.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool, such as PowerShell or cmd.exe, to interact with the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker encodes a malicious executable using tools like \u003ccode\u003ecertutil\u003c/code\u003e or custom encoding scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a registry key using \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe encoded executable is written to the registry key\u0026rsquo;s data value. The data string often starts with \u0026ldquo;TVqQAAMAAAAEAAAA*\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses another script or command to decode the executable from the registry.\u003c/li\u003e\n\u003cli\u003eThe decoded executable is then executed in memory or written to disk for execution.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as establishing persistence, escalating privileges, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to evade traditional disk-based security measures, enabling them to execute malicious code undetected. Attackers can use this technique to establish persistence, escalate privileges, or deploy malware, including ransomware. The rule helps defenders identify systems where this defense evasion technique is being employed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect encoded executables stored in the registry.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules to determine if the registry modification is malicious.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) tools to further analyze suspicious processes associated with the registry modifications.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unauthorized executables, even if they are decoded from the registry.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-encoded-executable-registry/","summary":"This rule detects registry write modifications hiding encoded portable executables, indicative of adversary defense evasion by avoiding storing malicious content directly on disk.","title":"Encoded Executable Stored in the Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-encoded-executable-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","registry"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eLocal Security Authority (LSA) protection is a security feature in Windows that prevents unauthorized processes from accessing sensitive information stored in LSASS memory. This protection is enabled through the RunAsPPL registry key. Adversaries may attempt to disable LSA protection by modifying this registry key, allowing them to more easily access credentials stored in LSASS. This technique can be used as part of a broader attack to escalate privileges and move laterally within a network. The rule detects modifications to the \u003ccode\u003eRunAsPPL\u003c/code\u003e registry key that weaken LSA protection. This involves monitoring changes to the registry path \u003ccode\u003e*\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\RunAsPPL\u003c/code\u003e and alerting when the registry data does not contain values that enable protected LSASS modes (\u0026ldquo;1\u0026rdquo;, \u0026ldquo;0x00000001\u0026rdquo;, \u0026ldquo;2\u0026rdquo;, \u0026ldquo;0x00000002\u0026rdquo;).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to an administrator account, if necessary, to gain the required permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eRunAsPPL\u003c/code\u003e registry key located at \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\Lsa\u003c/code\u003e (or similar path under \u003ccode\u003eControlSet00x\u003c/code\u003e) to a value that disables LSA protection (e.g., setting it to 0). This is often achieved using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker may stage the system for a reboot to apply the registry change.\u003c/li\u003e\n\u003cli\u003eAfter the system reboots, LSASS starts without Protected Process Light (PPL) protection, allowing the attacker to access its memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools like \u003ccode\u003eMimikatz\u003c/code\u003e to extract credentials from the unprotected LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of LSA protection allows attackers to easily extract credentials from LSASS memory. This can lead to widespread compromise of user and service accounts, enabling lateral movement and privilege escalation within the network. The impact could range from data breaches and financial loss to complete system compromise and disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to detect changes to the \u003ccode\u003eRunAsPPL\u003c/code\u003e registry key (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disabling Lsa Protection via Registry Modification\u0026rdquo; to your SIEM to detect malicious modifications to the \u003ccode\u003eRunAsPPL\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process making the change, the user account, and any associated processes (see the \u0026ldquo;investigation_fields\u0026rdquo; in the source).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process activity after registry modifications, such as the execution of credential dumping tools (e.g., Mimikatz).\u003c/li\u003e\n\u003cli\u003eRegularly review and enforce the principle of least privilege to minimize the number of accounts with permissions to modify sensitive registry keys.\u003c/li\u003e\n\u003cli\u003eUse host isolation when unauthorized LSA-protection weakening is detected and confirmed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lsass-ppl-disable/","summary":"Adversaries may modify the RunAsPPL registry key to disable LSA protection, which prevents nonprotected processes from reading memory and injecting code, potentially leading to credential access.","title":"Disabling LSA Protection via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-ppl-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Endgame","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","command-line","unicode","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly employing Unicode modifier letters to obfuscate command-line arguments, thereby bypassing traditional string-based detection mechanisms. This technique involves replacing standard ASCII characters with visually similar Unicode characters, making it difficult for simple pattern-matching rules to identify malicious commands. The obfuscation targets common Windows utilities such as \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ePowerShell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, and others frequently abused in post-exploitation scenarios. Defenders need to implement more sophisticated detection methods that account for Unicode normalization or character range analysis to identify and mitigate this threat. This technique has become more prevalent in the last year as attackers seek to evade common detection strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a command-line utility like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eObfuscation: The command-line arguments are obfuscated by replacing ASCII characters with Unicode modifier letters.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The obfuscation allows the attacker to evade simple string-based detections that would normally flag the command as malicious.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may use the obfuscated command to escalate privileges or gain access to sensitive resources.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence by creating a scheduled task or modifying the registry using obfuscated commands.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker may use the obfuscated command to move laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful command obfuscation can lead to a significant compromise of Windows systems. Attackers can bypass security controls and execute malicious code undetected, potentially leading to data theft, system disruption, or ransomware deployment. The obfuscation makes it harder for security teams to identify and respond to attacks, increasing the dwell time and potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the presence of Unicode modifier letters in command lines (references: Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments for analysis (references: Sysmon setup instructions).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and analyze the raw command lines to identify the true intent of the command (references: Triage and Analysis section of the source).\u003c/li\u003e\n\u003cli\u003eConsider implementing Unicode normalization techniques to remove the obfuscation before analyzing command lines.\u003c/li\u003e\n\u003cli\u003eMonitor the listed processes (\u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, etc.) more closely for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unicode-cmd-obfuscation/","summary":"Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.","title":"Command Obfuscation via Unicode Modifier Letters","url":"https://feed.craftedsignal.io/briefs/2024-01-unicode-cmd-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies unusual instances of Control Panel being executed with suspicious keywords or paths in the process command line. Control Panel (control.exe) is a legitimate Windows utility, but adversaries may abuse it to proxy execution of malicious code, effectively bypassing defense mechanisms. This technique involves launching control.exe with command-line arguments that point to malicious payloads or unusual file types, such as image files or INF files, or paths containing traversal sequences. The rule is designed to trigger when control.exe is launched with suspicious arguments like image files, INF files, paths containing traversal sequences, or paths in user-writable locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe adversary stages a malicious payload on the system in a location such as \u003ccode\u003eAppData\\Local\u003c/code\u003e or \u003ccode\u003eUsers\\Public\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe adversary crafts a command line that uses \u003ccode\u003econtrol.exe\u003c/code\u003e to execute the malicious payload. The command line includes a suspicious path, such as \u003ccode\u003econtrol.exe evil.jpg\u003c/code\u003e or \u003ccode\u003econtrol.exe ..\\..\\..\\evil.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econtrol.exe\u003c/code\u003e process is executed with the malicious command line.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eControl.exe\u003c/code\u003e attempts to load the specified file.\u003c/li\u003e\n\u003cli\u003eIf the file is an executable or script, it is executed within the context of the \u003ccode\u003econtrol.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions (e.g., downloading additional payloads, establishing persistence, or exfiltrating data).\u003c/li\u003e\n\u003cli\u003eThe adversary achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing adversaries to install malware, steal sensitive data, or compromise the entire system. This can result in significant financial loss, reputational damage, and disruption of business operations. Because Control Panel is a signed Microsoft binary, abusing it can bypass application control policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Control Panel Process with Unusual Arguments\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003econtrol.exe\u003c/code\u003e command lines (rule).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments of \u003ccode\u003econtrol.exe\u003c/code\u003e (logsource).\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003econtrol.exe\u003c/code\u003e launching child processes (rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process, command-line arguments, and any subsequent network connections (rule).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003econtrol.exe\u003c/code\u003e from unusual locations (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-control-panel-abuse/","summary":"Adversaries may abuse control.exe to proxy execution of malicious code by using the Control Panel process to execute payloads from unusual locations, detected by identifying suspicious keywords or paths in the process command line.","title":"Control Panel Process with Unusual Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-control-panel-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","compile-after-delivery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers sometimes deliver malicious code in a non-executable format to bypass initial security checks. They then use legitimate .NET compilers like \u003ccode\u003ecsc.exe\u003c/code\u003e (C#) and \u003ccode\u003evbc.exe\u003c/code\u003e (VB.NET) to compile the code into an executable on the victim machine. This technique, known as \u0026ldquo;Compile After Delivery\u0026rdquo;, helps them evade traditional signature-based detections. This activity is often launched from scripting engines or system utilities, such as \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e and others. The rule detects these unusual parent-child process relationships, providing an alert for potential post-delivery code compilation activity, and applies to Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers obfuscated or encoded .NET source code to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a scripting engine (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e) or system utility (e.g., \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e) to execute a .NET compiler (\u003ccode\u003ecsc.exe\u003c/code\u003e or \u003ccode\u003evbc.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe scripting engine or system utility passes the delivered .NET source code as an argument to the compiler.\u003c/li\u003e\n\u003cli\u003eThe .NET compiler compiles the source code into a binary executable.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the compiled binary.\u003c/li\u003e\n\u003cli\u003eThe compiled binary performs malicious actions, such as establishing persistence, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the target system, bypassing security measures that rely on pre-execution scanning. This can lead to a range of malicious activities, including data theft, system compromise, and deployment of ransomware. Detecting and preventing this technique is crucial for maintaining the integrity and confidentiality of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Windows Security Event Logs or Sysmon (Event ID 1) to capture process execution data needed for the detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious .NET Code Compilation\u0026rdquo; to your SIEM to detect instances of .NET compilers being executed by unusual parent processes.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes, as described in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the parent processes listed in the Sigma rule\u0026rsquo;s detection criteria (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e) for unusual command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-suspicious-dotnet-compilation/","summary":"Adversaries may use unusual parent processes to execute .NET compilers for compiling malicious code after delivery, evading security mechanisms, and this activity is detected by monitoring compiler executions initiated by scripting engines or system utilities.","title":"Suspicious .NET Code Compilation via Unusual Parent Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-02-suspicious-dotnet-compilation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Firewall","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","windows","netsh","rdp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can leverage the native Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to modify Windows Firewall rules and enable inbound Remote Desktop Protocol (RDP) connections. This can be used as a defense evasion technique to bypass existing firewall restrictions, allowing them to establish remote access to a compromised host. Ransomware operators and other malicious actors frequently utilize RDP to access victim servers, often using privileged accounts, to further their objectives. This activity can be conducted post-compromise to facilitate lateral movement and the deployment of malicious payloads. The behavior was observed being detected by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host through initial access methods (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh\u003c/code\u003e command creates or modifies an inbound rule to allow RDP traffic (TCP port 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RDP connection to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RDP session to perform reconnaissance, move laterally, or deploy malware.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to disable or modify security tools to further evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to unauthorized remote access to systems, enabling lateral movement, data theft, and ransomware deployment. If RDP is enabled on a large number of systems, the attacker can move laterally through the environment. The impact can range from data breaches to complete operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enetsh.exe\u003c/code\u003e executing with arguments related to enabling inbound RDP traffic using the \u0026ldquo;Remote Desktop Enabled in Windows Firewall by Netsh\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to modify firewall rules related to RDP.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview existing firewall rules and remove any unnecessary or overly permissive rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging for enhanced visibility into process execution events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-netsh-rdp-enable/","summary":"Adversaries may use the `netsh.exe` utility to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall, potentially allowing unauthorized remote access to compromised systems.","title":"Netsh Used to Enable Remote Desktop Protocol (RDP) in Windows Firewall","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/"}],"language":"en","title":"CraftedSignal Threat Feed — Crowdstrike","version":"https://jsonfeed.org/version/1.1"}