{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/elastic-endpoint/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Filtering Platform","elastic-agent","elastic-endpoint"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-filtering-platform","endpoint-security"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Bitdefender","VMware Carbon Black","Comodo","Vectra AI","Cybereason","Cylance","Elastic","ESET","Broadcom","Fortinet","Kaspersky","Malwarebytes","McAfee","Qualys","SentinelOne","Sophos","Symantec","Trend Micro","BeyondTrust","CrowdStrike","Splunk","Tanium"],"content_html":"\u003cp\u003eThe Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., leveraging the \u003ccode\u003enetsh\u003c/code\u003e command or custom WFP API calls) to create a new WFP filter.\u003c/li\u003e\n\u003cli\u003eThe WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., \u003ccode\u003eelastic-agent.exe\u003c/code\u003e, \u003ccode\u003esysmon.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system begins blocking network communication from the targeted security software.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker\u0026rsquo;s scope and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit WFP rules to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for systems authorized to modify WFP rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-wfp-evasion/","summary":"Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.","title":"Potential Evasion via Windows Filtering Platform Blocking Security Software","url":"https://feed.craftedsignal.io/briefs/2026-05-wfp-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","scripting-interpreter","base64","command-line"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule identifies the execution of scripting interpreters (Python, PowerShell, Node.js, and Deno) with unusually long command lines containing base64 encoded payloads. The rule focuses on scenarios where the initial \u003ccode\u003eprocess.command_line\u003c/code\u003e field is ignored due to its excessive length, but the complete command line is still available in \u003ccode\u003eprocess.command_line.text\u003c/code\u003e. Attackers leverage this technique to evade traditional command-line inspection and execute malicious content across Windows, macOS, and Linux systems. This approach allows attackers to embed and execute code without writing it to disk, making it harder to detect. The rule is designed to detect this behavior, allowing for closer inspection of the executed commands and their intent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell, Python, Node.js, or Deno to execute commands.\u003c/li\u003e\n\u003cli\u003eA long, base64-encoded string is crafted, designed to evade detection.\u003c/li\u003e\n\u003cli\u003eThe interpreter is invoked with the encoded string passed as an argument, exceeding typical command-line limits.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprocess.command_line\u003c/code\u003e field is truncated due to its length, but the full command line is available in \u003ccode\u003eprocess.command_line.text\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe interpreter decodes and executes the payload from the \u003ccode\u003eprocess.command_line.text\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe decoded payload performs malicious actions such as downloading malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining control of the system or stealing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a wide range of malicious activities, including malware installation, data theft, privilege escalation, and system compromise. Due to the defense evasion capabilities, it is difficult to identify and prevent. The impact includes potential data breaches, financial losses, and reputational damage. The rule\u0026rsquo;s detection helps defenders identify this attack vector and prevent further exploitation of affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Long Base64 Encoded Command via Scripting Interpreter\u003c/code\u003e to your SIEM to detect this behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the \u003ccode\u003eprocess.command_line.text\u003c/code\u003e field to understand the full command being executed.\u003c/li\u003e\n\u003cli\u003eReview parent processes and execution chains of the interpreter to understand the initial attack vector.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the execution of scripting interpreters from untrusted sources.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for command lines exceeding a certain length threshold.\u003c/li\u003e\n\u003cli\u003eImprove logging coverage to capture the full command line even when it exceeds standard limits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-03-long-base64-interpreter-cmdline/","summary":"Detection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.","title":"Long Base64 Encoded Command via Scripting Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-03-long-base64-interpreter-cmdline/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","windows"],"_cs_type":"advisory","_cs_vendors":["TeamViewer","LogMeIn","AnyDesk","ScreenConnect","ConnectWise","Splashtop","Zoho","RustDesk","n-able","Kaseya","BeyondTrust","Tailscale","JumpCloud","VNC","Datto","Auvik","SyncroMSP","Pulseway","NinjaOne","Liongard","Naverisk","Panorama9","Tactical RMM","MeshCentral","ISL Online","Goverlan","Iperius","Remotix","Mikogo","Action1","Elastic"],"content_html":"\u003cp\u003eThis detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows host through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or leverages an existing RMM tool on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).\u003c/li\u003e\n\u003cli\u003eThe compromised host establishes a connection to the resolved IP address associated with the RMM domain.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DNS Queries to Known RMM Domains from Non-Browser Processes\u0026rdquo; to your SIEM and tune the RMM domain list for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized RMM tools.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.\u003c/li\u003e\n\u003cli\u003eCorrelate with other alerts to identify potential compromises.\u003c/li\u003e\n\u003cli\u003eReview process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-dns-non-browser/","summary":"Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.","title":"Suspicious DNS Queries to RMM Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/"}],"language":"en","title":"CraftedSignal Threat Feed — Elastic-Endpoint","version":"https://jsonfeed.org/version/1.1"}