https://feed.craftedsignal.io/products/elastic-license-v2/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 21:42:34 +0000https://feed.craftedsignal.io/briefs/2024-01-kubernetes-pod-exec-sensitive-file-access/Mon, 04 May 2026 21:42:34 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-kubernetes-pod-exec-sensitive-file-access/This rule detects Kubernetes pod exec sessions where the decoded command line references sensitive files or paths such as mounted service account tokens, kubelet and control-plane configuration, host identity stores, private keys, and process environment dumps, aiming to identify potential lateral movement, privilege escalation, or credential theft.This detection identifies Kubernetes pod exec sessions accessing sensitive files or credential paths. The goal is to detect attackers attempting to steal credentials or configuration information from within Kubernetes pods. This often occurs after initial access and may precede lateral movement, privilege escalation, or data exfiltration. The detection focuses on command lines that reference paths related to service account tokens, kubelet configuration, host identity stores, common private keys, keystore extensions, process environment dumps, and configuration files with embedded secrets. The rule is designed to catch both interactive and scripted access, and includes exclusions for benign reads of resolv.conf.

Attack Chain

1. Attacker gains initial access to a Kubernetes cluster, potentially through a compromised application or misconfigured service.
2. Attacker uses kubectl exec or similar tools to execute commands within a pod.
3. The executed command attempts to read sensitive files or directories within the pod’s filesystem, such as /var/run/secrets/kubernetes.io/serviceaccount/token to obtain the pod’s service account token.
4. The command may also target host-level files if the pod has hostPath mounts or runs in a privileged context, like /etc/shadow or /etc/passwd for credential access.
5. The attacker may attempt to dump process environments via /proc/<pid>/environ to extract sensitive information stored as environment variables.
6. The attacker leverages obtained credentials or configuration to move laterally to other pods or nodes within the cluster.
7. The attacker escalates privileges within the cluster by abusing stolen service account tokens or node credentials.
8. The final objective is to exfiltrate sensitive data, deploy malicious workloads, or disrupt services within the Kubernetes environment.

Impact

A successful attack can lead to the compromise of sensitive data, including credentials, configuration files, and application secrets. This can enable attackers to move laterally within the Kubernetes cluster, escalate privileges, and potentially gain control over the entire environment. The severity of the impact depends on the sensitivity of the data exposed and the level of access achieved by the attacker.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect sensitive file access within Kubernetes pod exec sessions.
• Investigate any alerts triggered by the Sigma rule, focusing on the Esql.access_type field to prioritize incidents.
• Review and tighten RBAC permissions for pod exec to limit access to authorized users and service accounts.
• Implement admission controls to prevent pods from running in privileged mode or using hostPath mounts unless absolutely necessary.
• Monitor Kubernetes audit logs for suspicious kubectl exec activity, including unusual command lines or access patterns.
• Regularly rotate Kubernetes service account tokens and other sensitive credentials to minimize the impact of potential breaches.
• Use the provided Kubernetes audit log query to proactively search for historical instances of sensitive file access.

]]>highadvisorykubernetescredential-accessexecutionhttps://feed.craftedsignal.io/briefs/2024-01-posh-concat-obfuscation/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-posh-concat-obfuscation/This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.This detection rule identifies PowerShell scripts employing concatenated string literals within dynamic invocation constructs like &() or .(). This obfuscation technique allows attackers to construct commands dynamically, making it harder to detect their malicious intent based on static analysis or keyword matching. By breaking commands into smaller, concatenated strings, attackers aim to bypass traditional signature-based detections and evade AMSI (Anti-Malware Scan Interface). This technique has been observed in various campaigns where threat actors attempt to execute malicious code while minimizing the chances of detection. This activity is particularly concerning for defenders, as it highlights a common method to bypass security measures.

Attack Chain

1. An attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).
2. The attacker executes a PowerShell script on the compromised system.
3. The PowerShell script uses string concatenation to build malicious commands dynamically.
4. Dynamic invocation constructs like &() or .() are used to execute the concatenated commands.
5. The obfuscated commands bypass keyword-based detections and AMSI.
6. The attacker performs malicious activities, such as downloading additional payloads.
7. The attacker executes the downloaded payloads to establish persistence or exfiltrate data.
8. The attacker achieves their final objective, such as stealing sensitive information or deploying ransomware.

Impact

Successful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Attackers can leverage this technique to evade security controls and execute malicious commands undetected. The impact is high because it allows attackers to bypass common defenses and maintain persistence on the system, affecting potentially hundreds or thousands of systems across an organization.

Recommendation

• Enable PowerShell Script Block Logging to capture the events necessary for this detection, as indicated in the setup instructions linked in the source material.
• Deploy the Sigma rule Detect PowerShell Obfuscation via String Concatenation to your SIEM and tune for your environment to detect the use of concatenated strings in PowerShell commands.
• Investigate alerts generated by the Sigma rule, focusing on the reconstructed PowerShell commands and the processes that launched them, as outlined in the triage and analysis section of the source material.
• Monitor for follow-on activities, such as child processes, file modifications, and network connections originating from PowerShell processes exhibiting obfuscation techniques.

]]>highadvisorydefense-evasionpowershellobfuscationhttps://feed.craftedsignal.io/briefs/2024-01-rpc-internet-access/Wed, 03 Jan 2024 14:27:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rpc-internet-access/This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.The Remote Procedure Call (RPC) protocol, while essential for legitimate system administration tasks such as remote maintenance and resource sharing within internal networks, poses a significant security risk when exposed to the internet. Threat actors frequently target and exploit RPC services as an initial access vector or to establish backdoors within compromised systems. This exposure allows attackers to remotely execute commands, move laterally within the network, and potentially exfiltrate sensitive data. This brief provides detection strategies to identify such anomalous RPC traffic, enabling security teams to proactively mitigate potential threats. The detection focuses on identifying TCP traffic to port 135 from internal IP ranges to external IP addresses.

Attack Chain

1. The attacker compromises a host within the internal network, potentially through phishing or exploiting a vulnerability.
2. The compromised host initiates an RPC connection to an external IP address on TCP port 135.
3. The attacker uses the RPC connection to enumerate network resources and identify potential targets for lateral movement.
4. Using the RPC connection, the attacker attempts to authenticate to other systems within the network.
5. Upon successful authentication, the attacker remotely executes commands on the target system via RPC.
6. The attacker installs malware or a backdoor on the target system for persistence.
7. The attacker leverages the established foothold to further propagate within the network, compromising additional systems.

Impact

Successful exploitation of RPC services exposed to the internet can lead to a complete compromise of the internal network. Attackers can gain initial access, move laterally, exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations. A single exposed RPC service can serve as a gateway for widespread damage.

Recommendation

• Implement the provided Sigma rule to detect RPC traffic from internal IP ranges to external destinations on TCP port 135, focusing on network traffic logs.
• Investigate any alerts generated by the Sigma rule, prioritizing systems exhibiting suspicious RPC activity (Sigma rule, logsource: network_connection).
• Ensure that RPC services are not directly exposed to the internet. Implement firewall rules to restrict access to authorized internal IP ranges only.
• Continuously monitor network traffic for anomalous RPC activity and correlate with other security events (logsource: network_connection).
• Review and update firewall configurations to block unauthorized outbound connections on port 135 (logsource: firewall).

]]>highadvisorynetwork-trafficinitial-accesslateral-movementrpchttps://feed.craftedsignal.io/briefs/2024-01-machine-account-relay/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-machine-account-relay/The rule identifies potential relay attacks against a machine account by detecting network share access events originating from a remote source IP but utilizing the target server's computer account, which may indicate an SMB relay attack.This detection rule identifies potential SMB relay attacks targeting machine accounts in Windows environments. The attack involves an adversary intercepting and relaying authentication requests to gain unauthorized access to network resources. The detection focuses on analyzing Windows Security Event Logs for file share access events (event code 5145) where the source IP address is different from the target server’s IP address, but the user name matches the target server’s computer account (ends with “$”). This activity could indicate that an attacker is relaying SMB authentication requests from a compromised system to the target server, effectively impersonating the machine account. Detecting this behavior is crucial for identifying and mitigating potential lateral movement and credential access attempts within the network.

Attack Chain

1. The attacker compromises a host within the network.
2. The attacker initiates an SMB connection to a target server.
3. The attacker intercepts the authentication request.
4. The attacker relays the authentication request to another server using the target server’s machine account.
5. The target server authenticates the relayed request, granting access to the attacker.
6. The attacker gains unauthorized access to network shares and resources on the target server.
7. The attacker attempts lateral movement to other systems within the domain.
8. The attacker performs credential access activities, such as dumping credentials or accessing sensitive data.

Impact

Successful exploitation allows attackers to gain unauthorized access to network resources, potentially leading to lateral movement, data theft, or system compromise. A successful SMB relay attack can compromise critical systems and expose sensitive data, potentially impacting hundreds or thousands of systems within the domain. This can result in significant financial losses, reputational damage, and legal liabilities.

Recommendation

• Enable Audit Detailed File Share monitoring to generate the necessary event logs for detection (Setup instructions: https://ela.st/audit-detailed-file-share).
• Deploy the provided Sigma rule “Potential Machine Account Relay Attack via SMB” to your SIEM to detect suspicious SMB activity based on event code 5145 and abnormal source IP addresses.
• Investigate alerts generated by the Sigma rule by reviewing surrounding authentication events (event codes 4624 and 4625) to confirm the use of machine accounts from unexpected source IPs.
• Implement network segmentation and restrict SMB access between systems to limit the potential impact of SMB relay attacks.
• Enforce SMB signing or Extended Protection to prevent man-in-the-middle attacks.
• Monitor for related alerts as described in the transform.investigate sections, focusing on suspicious authentication, service creation, persistence, or credential access on the host.id.

]]>highadvisorycredential-accesssmb-relaywindows