https://feed.craftedsignal.io/products/edge/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 May 2026 02:21:40 +0000https://feed.craftedsignal.io/briefs/2026-05-chromium-use-after-free/Fri, 01 May 2026 02:21:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-chromium-use-after-free/A use-after-free vulnerability in the ANGLE graphics engine within Chromium (CVE-2026-7359) allows for potential exploitation in Google Chrome and Microsoft Edge.CVE-2026-7359 describes a use-after-free vulnerability present in ANGLE (Almost Native Graphics Layer Engine), a crucial component of the Chromium open-source project. This vulnerability impacts applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the provided source does not give specific exploitation details, use-after-free vulnerabilities can allow for arbitrary code execution. Google Chrome has already addressed this vulnerability, and Microsoft Edge has incorporated the fix from Chromium. This vulnerability matters to defenders because successful exploitation could lead to compromise of the browser and potentially the underlying system.

Attack Chain

1. An attacker crafts a malicious web page containing JavaScript code that leverages a flaw in ANGLE’s memory management.
2. A user visits the malicious web page through Chrome or Edge.
3. The JavaScript code triggers the use-after-free vulnerability by freeing a memory object in ANGLE and then attempting to access it again.
4. This memory corruption leads to a controlled crash or allows the attacker to overwrite memory with arbitrary data.
5. The attacker leverages the memory overwrite to inject malicious code into the browser process.
6. The injected code executes within the context of the browser, granting the attacker access to user data, cookies, and other sensitive information.
7. The attacker may then use this access to perform actions on behalf of the user, such as stealing credentials, installing malware, or spreading the attack to other systems.
8. The attacker achieves arbitrary code execution on the user’s system, potentially leading to full system compromise.

Impact

A successful exploit of CVE-2026-7359 could allow an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, data theft, and potentially full system compromise. The scope of impact is broad, affecting any user who visits a malicious webpage while using a vulnerable version of Chrome or Edge. Since Chrome and Edge are widely used, this vulnerability poses a significant risk.

Recommendation

• Deploy the Sigma rule Detect Suspicious WebGL Usage to identify potential exploitation attempts targeting ANGLE via WebGL.
• Monitor web server logs for suspicious requests (cs-uri-query) that may be related to the exploitation of CVE-2026-7359.
• Ensure that all Chrome and Edge installations are updated to the latest versions to patch CVE-2026-7359.

]]>highadvisoryuse-after-freechromiumedgechromecve-2026-7359https://feed.craftedsignal.io/briefs/2026-05-chromium-webrtc-overflow/Fri, 01 May 2026 02:21:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-chromium-webrtc-overflow/A heap buffer overflow vulnerability exists in the WebRTC component of Google Chrome and Microsoft Edge (Chromium-based), potentially leading to code execution.CVE-2026-7339 is a critical heap buffer overflow vulnerability affecting the WebRTC (Web Real-Time Communication) component in Google Chrome and Microsoft Edge (Chromium-based). This vulnerability stems from improper memory management within WebRTC, potentially allowing a remote attacker to execute arbitrary code by crafting malicious web content. As Microsoft Edge ingests Chromium, it is also vulnerable. Users of Chrome and Edge are affected. Defenders should apply available patches promptly to mitigate potential exploitation.

Attack Chain

1. An attacker crafts a malicious website designed to trigger the WebRTC vulnerability.
2. The victim visits the malicious website using a vulnerable version of Chrome or Edge.
3. The website uses JavaScript to initiate a WebRTC session.
4. The crafted WebRTC data triggers a heap buffer overflow during memory allocation within the WebRTC component.
5. The overflow overwrites adjacent memory regions on the heap.
6. The attacker carefully crafts the overflow data to overwrite critical program data or function pointers.
7. The corrupted data leads to arbitrary code execution within the context of the browser process.
8. The attacker gains control of the user’s browser and potentially the underlying system.

Impact

Successful exploitation of CVE-2026-7339 can lead to arbitrary code execution, allowing an attacker to potentially install malware, steal sensitive information, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability could impact a large number of users across various sectors, including individuals, businesses, and government organizations.

Recommendation

• Apply the latest security updates for Google Chrome and Microsoft Edge (Chromium-based) to patch CVE-2026-7339.
• Deploy the Sigma rule “Detect WebRTC Heap Overflow Attempt” to identify potential exploitation attempts targeting CVE-2026-7339.
• Monitor web server logs for unusual requests or patterns associated with WebRTC usage that could indicate exploitation attempts.

]]>criticaladvisorywebrtcheap-overflowcode-executioncve-2026-7339https://feed.craftedsignal.io/briefs/2026-05-chromium-uaf/Fri, 01 May 2026 02:21:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-chromium-uaf/CVE-2026-7355 is a use-after-free vulnerability in the Media component of Chromium, affecting Google Chrome and Microsoft Edge, potentially allowing for arbitrary code execution.CVE-2026-7355 is a critical use-after-free vulnerability residing in the Media component of the Chromium browser engine. This vulnerability affects Google Chrome and Microsoft Edge, as Edge incorporates Chromium. A use-after-free vulnerability occurs when an application attempts to use memory after it has been freed, which can lead to crashes, arbitrary code execution, or other unexpected behavior. Successful exploitation could allow an attacker to execute arbitrary code within the context of the browser. This vulnerability was reported and patched by the Chromium project.

Attack Chain

1. An attacker crafts a malicious webpage containing specially crafted media content.
2. A user opens the malicious webpage in a vulnerable version of Chrome or Edge.
3. The browser attempts to process the malicious media content, triggering the use-after-free vulnerability in the Media component.
4. The vulnerable code attempts to access a freed memory region.
5. The attacker gains control of the memory region due to the use-after-free condition.
6. The attacker injects malicious code into the controlled memory region.
7. The browser executes the attacker-controlled code.
8. The attacker achieves arbitrary code execution within the context of the browser process, potentially leading to system compromise.

Impact

Successful exploitation of CVE-2026-7355 can lead to arbitrary code execution within the context of the browser process. An attacker could potentially gain control of the user’s system, steal sensitive information, or install malware. Given the widespread use of Chrome and Edge, a successful exploit could impact a large number of users across various sectors.

Recommendation

• Apply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7355.
• Deploy the Sigma rule “Detect Chromium Use-After-Free in Media Component” to identify potential exploitation attempts.
• Enable process creation logging to capture events related to potential exploitation attempts, facilitating detection rule functionality.

]]>highadvisoryuse-after-freechromiumcve-2026-7355browserhttps://feed.craftedsignal.io/briefs/2024-01-chromium-use-after-free/Fri, 01 May 2026 02:21:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-chromium-use-after-free/CVE-2026-7357 is a use-after-free vulnerability in the GPU component of Chromium that also affects Microsoft Edge, potentially leading to arbitrary code execution.CVE-2026-7357 is a critical use-after-free vulnerability residing within the GPU component of the Chromium rendering engine. This flaw directly impacts Google Chrome and, due to Microsoft Edge’s reliance on Chromium, also affects Edge users. A remote attacker could potentially exploit this vulnerability to execute arbitrary code on a targeted system. The vulnerability stems from improper memory management within the GPU processing routines. While the specific exploitation details are not provided in this brief, successful exploitation generally involves crafting malicious web content to trigger the vulnerability during GPU operations.

Attack Chain

1. Attacker crafts a malicious HTML page containing JavaScript that triggers specific GPU functions.
2. User visits the malicious website using Chrome or Edge.
3. The browser’s rendering engine processes the malicious JavaScript, leading to the allocation and subsequent freeing of a memory region in the GPU component.
4. The attacker’s JavaScript code then attempts to access the previously freed memory region, triggering the use-after-free vulnerability.
5. By manipulating the memory layout, the attacker can overwrite the freed memory with controlled data.
6. The overwritten memory is later accessed by the GPU, leading to the execution of attacker-controlled code.
7. The attacker gains arbitrary code execution within the context of the browser process.
8. The attacker leverages the code execution to escalate privileges or perform other malicious activities.

Impact

Successful exploitation of CVE-2026-7357 can lead to arbitrary code execution on the victim’s machine. The attacker could potentially install malware, steal sensitive data, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability poses a significant risk to a large number of users.

Recommendation

• Apply the latest security updates for Google Chrome to address CVE-2026-7357.
• Apply the latest security updates for Microsoft Edge to address CVE-2026-7357.
• Deploy the Sigma rule “Detect Suspicious WebAssembly Execution” to identify potential exploitation attempts involving WebAssembly.

]]>criticaladvisoryuse-after-freechromiumedgechromehttps://feed.craftedsignal.io/briefs/2024-01-03-chromium-use-after-free/Fri, 01 May 2026 02:21:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-chromium-use-after-free/CVE-2026-7333 is a use-after-free vulnerability in the GPU component of Chromium, affecting Google Chrome and Microsoft Edge, potentially leading to arbitrary code execution.CVE-2026-7333 is a critical use-after-free vulnerability residing in the GPU component of the Chromium browser engine. This flaw allows an attacker to potentially corrupt memory and execute arbitrary code in the context of the browser process. As Microsoft Edge is built upon the Chromium engine, it is also susceptible to this vulnerability. Public details are limited, but exploitation likely involves crafting malicious web content that triggers the use-after-free condition within the GPU processing routines. This vulnerability poses a significant threat as it could allow attackers to compromise user systems simply by visiting a malicious website.

Attack Chain

1. Attacker crafts a malicious HTML page containing JavaScript that interacts with the GPU functionality of the browser.
2. The user visits the malicious page via a phishing email or drive-by download.
3. The JavaScript code triggers the use-after-free vulnerability in the Chromium GPU component.
4. The vulnerability allows the attacker to corrupt memory allocated for GPU processing.
5. The attacker manipulates memory to gain control of program execution.
6. The attacker injects malicious code into the browser process.
7. The injected code executes with the privileges of the browser process, allowing the attacker to perform actions such as stealing cookies, credentials, or installing malware.
8. The attacker gains persistent access to the compromised system and exfiltrates sensitive data.

Impact

A successful exploitation of CVE-2026-7333 could allow an attacker to execute arbitrary code on a user’s system. This could lead to the theft of sensitive information, installation of malware, or complete system compromise. Given the widespread use of Chromium-based browsers such as Chrome and Edge, this vulnerability has the potential to affect millions of users. The impact is considered critical due to the ease of exploitation and the potential for widespread damage.

Recommendation

• Apply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7333.
• Deploy the Sigma rule “Detect Suspicious GPU Process Creation” to identify potential exploitation attempts.
• Enable process creation logging with command-line arguments to detect suspicious processes spawned by the browser (logsource: process_creation).

]]>criticalthreatuse-after-freechromiumgpucve-2026-7333remote code executionhttps://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7348/Fri, 01 May 2026 02:21:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7348/CVE-2026-7348 is a use-after-free vulnerability in the Codecs component of Chromium, affecting Google Chrome and Microsoft Edge.CVE-2026-7348 is a critical use-after-free vulnerability residing within the Codecs component of the Chromium browser engine. This vulnerability affects applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the specific details of the vulnerability are documented in Google Chrome Releases, the underlying issue stems from improper memory management within the Codecs library. Successful exploitation could allow an attacker to execute arbitrary code within the context of the affected browser, potentially leading to data theft, system compromise, or other malicious activities. This vulnerability requires immediate attention from organizations utilizing Chrome or Edge.

Attack Chain

1. An attacker crafts a malicious web page containing specially crafted media content designed to trigger the use-after-free condition in the Codecs library.
2. The user visits the malicious web page using Google Chrome or Microsoft Edge.
3. The browser attempts to process the malicious media content, triggering the vulnerable code path within the Codecs library.
4. The use-after-free condition is triggered when the browser attempts to access memory that has already been freed.
5. The attacker leverages the use-after-free condition to corrupt memory and gain control of program execution.
6. The attacker injects and executes arbitrary code within the context of the browser process.
7. The attacker gains unauthorized access to sensitive data, such as cookies, credentials, or browsing history.
8. The attacker potentially escalates privileges or installs malware on the user’s system.

Impact

Successful exploitation of CVE-2026-7348 allows an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, such as credentials or browsing history. The attacker could potentially gain full control of the user’s system. Given the widespread use of Chromium-based browsers, a successful exploit could impact a significant number of users across various sectors.

Recommendation

• Upgrade Google Chrome to the latest version that addresses this vulnerability; refer to Google Chrome Releases.
• Ensure Microsoft Edge is updated to the latest version incorporating the Chromium security patch.
• Deploy the Sigma rule “Detect Chromium Codecs Use-After-Free Exploit Attempt” to identify potential exploitation attempts via webserver logs.
• Enable webserver logging to capture HTTP requests, which is required for the provided Sigma rule.

]]>criticaladvisoryuse-after-freevulnerabilitybrowserhttps://feed.craftedsignal.io/briefs/2024-01-chrome-cve-2026-7349/Fri, 01 May 2026 02:21:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-chrome-cve-2026-7349/CVE-2026-7349 is a use-after-free vulnerability in the Cast component of Chromium, affecting Google Chrome and Microsoft Edge.CVE-2026-7349 is a use-after-free vulnerability found in the Cast component of the Chromium browser engine. This vulnerability affects Google Chrome and, by extension, Microsoft Edge, as Edge is built upon Chromium. Use-after-free vulnerabilities can allow an attacker to execute arbitrary code or cause a denial-of-service. While the original report comes from Chrome, the nature of Chromium’s shared codebase means that other Chromium-based browsers are also vulnerable. Successful exploitation of this vulnerability could lead to code execution within the context of the browser process. Defenders need to prioritize patching and monitoring for unusual browser behavior.

Attack Chain

1. An attacker crafts a malicious webpage designed to trigger the use-after-free vulnerability in the Cast component.
2. The user visits the malicious webpage using a vulnerable version of Chrome or Edge.
3. The Cast component attempts to access a freed memory location.
4. The attacker exploits the use-after-free condition to corrupt memory.
5. The attacker overwrites a function pointer or other critical data structure in memory.
6. The attacker triggers the execution of the corrupted function pointer or data structure.
7. The attacker gains arbitrary code execution within the context of the browser process.
8. The attacker could potentially escalate privileges or perform other malicious activities, such as installing malware or stealing sensitive data.

Impact

Successful exploitation of CVE-2026-7349 could allow an attacker to execute arbitrary code within the context of the browser, potentially leading to data theft, malware installation, or further system compromise. Given the widespread use of Chrome and Edge, this vulnerability has a significant impact. The specific number of potential victims is dependent on the speed of patching, but could potentially affect millions of users.

Recommendation

• Apply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7349.
• Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.
• Monitor browser process execution for unexpected code loading or memory access patterns using process creation logs.
• Implement memory protection techniques such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate the impact of successful exploitation.

]]>highadvisoryuse-after-freebrowserchromiumhttps://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7338/Fri, 01 May 2026 02:21:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7338/CVE-2026-7338 is a use-after-free vulnerability in the Cast component of Chromium, affecting Google Chrome and Microsoft Edge, potentially leading to arbitrary code execution.CVE-2026-7338 is a critical use-after-free vulnerability residing within the Cast component of the Chromium browser engine. Google Chrome and Microsoft Edge (Chromium-based) are both affected by this flaw. While the provided source does not specify the exact vulnerable versions, it indicates that Microsoft Edge ingests Chromium, and thus is affected by vulnerabilities addressed in Chromium releases. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the user running the browser. This poses a significant risk, as attackers could potentially gain control of the user’s system. Defenders should prioritize patching affected browsers.

Attack Chain

1. An attacker crafts a malicious webpage or injects malicious code into a legitimate website that utilizes the Cast functionality.
2. The victim visits the malicious website or interacts with the compromised legitimate website using an affected browser (Chrome or Edge).
3. The malicious webpage triggers the use-after-free vulnerability in the Cast component.
4. The vulnerability allows the attacker to access memory that has already been freed.
5. The attacker overwrites the freed memory with attacker-controlled data.
6. The attacker manipulates the memory layout to redirect program execution.
7. The browser attempts to execute code from the attacker-controlled memory location.
8. This results in arbitrary code execution within the context of the browser process.

Impact

Successful exploitation of CVE-2026-7338 allows an attacker to execute arbitrary code on a victim’s machine. This can lead to complete system compromise, data theft, installation of malware, or other malicious activities. Given the widespread use of Chromium-based browsers like Chrome and Edge, this vulnerability has the potential to impact a large number of users across various sectors. The severity is critical due to the potential for remote code execution.

Recommendation

• Apply the latest security updates for Google Chrome to address CVE-2026-7338 as detailed in Google Chrome Releases.
• Apply the latest security updates for Microsoft Edge (Chromium-based) to address CVE-2026-7338, ensuring the ingested Chromium version contains the fix.
• Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the Cast component.
• Enable enhanced browser security features, such as sandboxing and site isolation, to limit the impact of potential exploits.

]]>criticaladvisoryuse-after-freechromeedgecve-2026-7338remote code executionhttps://feed.craftedsignal.io/briefs/2026-05-chromium-heap-overflow/Fri, 01 May 2026 02:21:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-chromium-heap-overflow/CVE-2026-7353 is a heap buffer overflow vulnerability in the Skia graphics library used by Chromium, affecting both Google Chrome and Microsoft Edge.CVE-2026-7353 is a critical heap buffer overflow vulnerability residing within the Skia graphics library, a core component of the Chromium open-source project. This vulnerability impacts applications that utilize Chromium, including Google Chrome and Microsoft Edge. While the specific details of exploitation are not provided in this brief, the nature of a heap buffer overflow suggests a high potential for arbitrary code execution. Successful exploitation could allow an attacker to gain control of the affected browser process. Given the widespread use of Chromium-based browsers, this vulnerability poses a significant risk to a large user base. Defenders should prioritize patching and consider implementing mitigations to detect and prevent potential exploitation attempts.

Attack Chain

1. An attacker crafts a malicious web page or injects malicious content into a trusted website.
2. The victim visits the malicious web page or interacts with the injected content using a Chromium-based browser (Chrome or Edge).
3. The browser’s rendering engine, utilizing the Skia library, processes the malicious content, triggering the heap buffer overflow in Skia.
4. The overflow allows the attacker to overwrite adjacent memory regions in the heap.
5. By carefully crafting the overflowed data, the attacker can overwrite critical data structures within the browser process.
6. The attacker gains control of the execution flow by overwriting function pointers or other control data.
7. The attacker executes arbitrary code within the context of the browser process.
8. The attacker could then perform actions such as installing malware, stealing sensitive data, or further compromising the system.

Impact

Successful exploitation of CVE-2026-7353 allows for arbitrary code execution within the context of the affected browser process. This can lead to a complete compromise of the user’s browser session, potentially enabling the attacker to steal credentials, inject malicious code into other websites, or install malware on the victim’s system. Given the widespread use of Chrome and Edge, the potential impact is significant, affecting potentially millions of users.

Recommendation

• Apply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7353.
• Deploy the following Sigma rule to detect potential exploitation attempts based on suspicious process execution originating from the browser (see “Detect Suspicious Process Creation from Browser”).
• Enable enhanced browser security features such as site isolation to mitigate the impact of successful exploitation.

]]>criticaladvisoryheap overflowchromiumcve-2026-7353https://feed.craftedsignal.io/briefs/2024-01-browser-unusual-parent/Wed, 03 Jan 2024 18:15:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-browser-unusual-parent/Attackers may attempt credential theft by launching browsers (Chrome, Edge) with remote debugging, headless automation, or minimal arguments from an unusual parent process on Windows systems.This detection identifies instances where a browser process, specifically Google Chrome or Microsoft Edge, is initiated from an unexpected parent process on a Windows system. The rule focuses on scenarios where browsers are launched with arguments indicative of remote debugging, headless automation, or minimal user interaction. Such activity can signal an attempt to manipulate a browser session for malicious purposes, potentially leading to credential theft or unauthorized access to sensitive information. The rule is designed to leverage data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Process Creation Logs.

Attack Chain

1. An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
2. The attacker executes a script or command to launch a browser process (chrome.exe or msedge.exe).
3. The browser is launched with specific command-line arguments, such as --remote-debugging-port, --headless, or --window-position=-x,-y, to enable remote control or hide the browser window.
4. The parent process of the browser is an unusual executable, not typically associated with launching browsers (e.g., not explorer.exe).
5. The attacker leverages the remote debugging port to interact with the browser session programmatically.
6. The attacker attempts to steal credentials or session cookies from the browser.
7. The attacker uses stolen credentials to access sensitive data.

Impact

Successful exploitation can lead to the theft of user credentials, enabling unauthorized access to sensitive data and systems. This could result in financial loss, data breaches, and reputational damage for affected organizations. The targeted use of browser manipulation techniques increases the likelihood of bypassing traditional security controls.

Recommendation

• Deploy the Sigma rule Browser Process Spawned from Unusual Parent to your SIEM and tune for your environment.
• Enable Sysmon process-creation logging (Event ID 1) to collect the necessary data for the Sigma rule.
• Investigate any alerts generated by the Browser Process Spawned from Unusual Parent Sigma rule.
• Review process command lines for arguments like --remote-debugging-port or --headless to identify potential browser manipulation attempts.
• Monitor network connections originating from browser processes for unexpected destinations, as described in the investigation guide from the source.

]]>highadvisorycredential-accesswindowsbrowser-exploitationhttps://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.Attackers often modify registry run keys to achieve persistence on a system. By adding entries to these keys, they ensure that a malicious program executes automatically whenever a user logs in. This technique allows the attacker to maintain access to the compromised system even after reboots or other interruptions. The programs added to these run keys execute under the context of the user account, inheriting its permissions. This activity is often difficult to distinguish from legitimate software installations or updates, requiring careful analysis to identify malicious intent. Elastic has observed this activity and created a detection rule to identify this behavior.

Attack Chain

1. The attacker gains initial access to the target system.
2. The attacker identifies registry run key locations for persistence.
3. The attacker modifies a registry run key (e.g., HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) using tools such as reg.exe.
4. The attacker adds a malicious executable path to the registry key.
5. The system is restarted, or a user logs in.
6. The malicious executable is launched automatically as part of the logon process.
7. The malicious executable establishes a connection to a command-and-control server.
8. The attacker gains remote access to the compromised system.

Impact

Successful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to perform unauthorized activities such as data theft, lateral movement, and deployment of ransomware. While each instance may not cause immediate critical damage, the cumulative effect of multiple persistent infections across an environment can lead to significant data breaches and operational disruption. The Elastic rule attempts to minimize false positives with built-in filters for common legitimate applications and processes like ctfmon.exe, but tuning is required.

Recommendation

• Deploy the Sigma rule provided below to detect suspicious modifications to registry run keys and tune it to filter out legitimate application updates.
• Enable registry event logging to capture modifications made to the registry, ensuring that the Sigma rule can function correctly.
• Investigate any alerts generated by the Sigma rule, examining the parent process of the process modifying the registry for suspicious activity.
• Block known malicious executables and domains identified during triage to prevent further infection.
• Use endpoint detection and response (EDR) solutions like Elastic Defend to gain enhanced visibility into endpoint activity and detect malicious behavior associated with persistence mechanisms.

]]>lowadvisorypersistenceregistryrunkeyhttps://feed.craftedsignal.io/briefs/2024-01-rmm-domain-dns/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rmm-domain-dns/Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.This detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.

Attack Chain

1. An attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.
2. The attacker installs an unauthorized RMM tool (e.g., using a script or installer).
3. The RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).
4. The system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.
5. The attacker uses the RMM tool to execute commands on the compromised system.
6. The attacker uses the RMM tool for lateral movement within the network.
7. The attacker uses the RMM tool to maintain persistence on the compromised system.

Impact

Compromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker’s ability to move laterally.

Recommendation

• Deploy the Sigma rule RMM Domain DNS Queries from Non-Browser Processes to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.
• Investigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule’s description.
• Monitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.
• Enable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the “Setup” section of the content.

]]>mediumadvisorycommand-and-controlrmmdnshttps://feed.craftedsignal.io/briefs/2024-01-dns-over-https-enabled/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-dns-over-https-enabled/Detection of DNS-over-HTTPS (DoH) being enabled via registry modifications on Windows systems, potentially indicating defense evasion and obfuscation of network activity by masking DNS queries.The use of DNS-over-HTTPS (DoH) can obscure network activity, potentially allowing malicious actors to bypass traditional DNS monitoring and conceal data exfiltration. When DoH is enabled, visibility into DNS query types, responses, and originating IPs is lost, hindering the detection of malicious activity. This behavior is detected by monitoring registry modifications associated with enabling DoH in popular browsers such as Microsoft Edge, Google Chrome, and Mozilla Firefox. The registry keys targeted are associated with settings that force the browsers to use secure DNS resolution, potentially circumventing organizational security policies.

Attack Chain

1. Initial Access: An attacker gains initial access to a Windows system through various means, such as phishing or exploiting a software vulnerability.
2. Privilege Escalation (if necessary): The attacker may need to escalate privileges to modify registry settings.
3. Defense Evasion: The attacker modifies the Windows registry to enable DNS-over-HTTPS (DoH) in web browsers like Edge, Chrome, or Firefox. This is achieved by modifying specific registry keys such as HKLM\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled, HKLM\SOFTWARE\Google\Chrome\DnsOverHttpsMode, or HKLM\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS.
4. Obfuscation: By enabling DoH, the attacker encrypts DNS queries, making it difficult for network monitoring tools to inspect DNS traffic.
5. Command and Control: The attacker establishes command and control (C2) communication with a remote server over encrypted DNS traffic, evading traditional network-based detection methods.
6. Data Exfiltration: The attacker uses the encrypted DNS channel to exfiltrate sensitive data, bypassing network security controls that rely on DNS inspection.
7. Persistence (Optional): The attacker might establish persistence by ensuring the DoH settings remain enabled across system reboots.

Impact

Successful exploitation leads to a loss of visibility into DNS traffic, hindering incident response and threat hunting efforts. Attackers can effectively hide command-and-control communications and data exfiltration activities. Although this activity by itself isn’t inherently malicious, it removes a layer of defense, increasing the risk that malicious activities will go undetected.

Recommendation

• Deploy the Sigma rules provided in this brief to your SIEM to detect the enabling of DNS-over-HTTPS via registry modifications.
• Enable Sysmon registry event logging to capture the necessary events for the provided Sigma rules to function effectively.
• Review and update security policies to ensure DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes, reducing the risk of misuse, and create exceptions in the detection rule for systems where this is a known requirement.
• Investigate any alerts generated by the Sigma rules, focusing on identifying the user account, process, and associated network activity (reference the investigation guide in the source URL).

]]>lowadvisorydefense-evasiondns-over-httpsregistry-modificationhttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.Attackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim’s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.

Attack Chain

1. The user visits a compromised website or clicks on a malicious advertisement.
2. The user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.
3. The downloaded executable is placed in the user’s Downloads folder (e.g., C:\Users*\Downloads*).
4. The user executes the downloaded file.
5. The executable, lacking a valid code signature, begins execution.
6. The malicious installer may drop and execute additional malware components.
7. The malware establishes persistence, potentially using techniques such as registry key modification.
8. The malware performs malicious activities, such as data exfiltration or lateral movement.

Impact

Successful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.

Recommendation

• Implement the Sigma rule Potential Masquerading as Business App Installer to detect unsigned executables resembling legitimate business applications in download directories.
• Enable process creation logging to capture the execution of unsigned executables.
• Educate users on the risks of downloading and executing files from untrusted sources.
• Implement application whitelisting to restrict the execution of unauthorized applications.
• Regularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.
• Monitor process execution events for processes originating from the Downloads folder that lack valid code signatures.

]]>mediumadvisorymasqueradingdefense-evasioninitial-accessmalwarewindows