{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/endpoint-security/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Endpoint Defense","Windows Defender Advanced Threat Protection","Symantec Endpoint Protection","Endpoint Security","AVDefender","Optics","Padvish AV"],"_cs_severities":["high"],"_cs_tags":["credential-access","regback","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Sophos","Microsoft","Trend Micro","Symantec","Bitdefender","N-able Technologies","Cylance","McAfee","Padvish"],"content_html":"\u003cp\u003eThis detection identifies suspicious attempts to access registry backup hives (SAM, SECURITY, and SYSTEM) located in the \u003ccode\u003eRegBack\u003c/code\u003e folder on Windows systems. These hives contain sensitive credential material, making them attractive targets for attackers seeking to compromise system security. The detection logic focuses on file access events, specifically successful file opens, while excluding known benign processes such as \u003ccode\u003etaskhostw.exe\u003c/code\u003e and various AV/EDR solutions (SophosScanCoordinator.exe, MsSense.exe, ccSvcHst.exe, etc.) to minimize false positives. The rule is designed to provide defenders with high-fidelity alerts when unauthorized access to these critical registry hives is detected. The scope includes any Windows system where endpoint file access logging is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, or \u003ccode\u003eSYSTEM\u003c/code\u003e registry hives located in the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a tool or script to open one or more of these registry hives. This could involve using built-in Windows utilities, scripting languages, or custom-developed tools.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully opens the \u003ccode\u003eSAM\u003c/code\u003e and \u003ccode\u003eSYSTEM\u003c/code\u003e hives, they can extract user account credentials, including usernames, password hashes, and other sensitive information. The \u003ccode\u003eSECURITY\u003c/code\u003e hive is also useful.\u003c/li\u003e\n\u003cli\u003eThe attacker may stage the registry hive files by copying them to a different location on the system for further analysis or exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools (e.g., Mimikatz, secretsdump.py) or custom scripts to extract credentials from the staged registry hives.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the extracted credentials to escalate privileges, move laterally within the network, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to gain unauthorized access to critical systems, steal sensitive data, or establish long-term persistence within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to the compromise of user account credentials, enabling attackers to escalate privileges, move laterally within the network, and gain unauthorized access to sensitive data. The impact can range from data breaches and financial losses to reputational damage and disruption of critical business operations. The number of victims can vary depending on the scope of the attacker\u0026rsquo;s activities and the security posture of the targeted organization. Sectors commonly targeted include finance, healthcare, government, and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable file access monitoring for the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory to capture file open events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Hive Access via RegBack\u003c/code\u003e to your SIEM and tune the exclusions based on your environment.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e events for unusual processes accessing files in \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e, using the rule \u003ccode\u003eSuspicious Process Accessing RegBack Hives\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging and file creation to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-02T12:00:00Z","date_published":"2024-07-02T12:00:00Z","id":"/briefs/2024-07-regback-hive-access/","summary":"This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.","title":"Suspicious Registry Hive Access via RegBack","url":"https://feed.craftedsignal.io/briefs/2024-07-regback-hive-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Endpoint Security","UEMS_Agent","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","filter-driver","fltMC.exe","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","ManageEngine","Bitdefender","SentinelOne"],"content_html":"\u003cp\u003eThe Filter Manager Control Program (fltMC.exe) is a Windows utility used to manage filter drivers, also known as minifilters. These minifilters are leveraged by various security products, including EDR, antivirus solutions, and data loss prevention tools, to intercept and modify I/O requests. Attackers can abuse fltMC.exe to unload these minifilters, effectively disabling or circumventing the security measures they provide. This allows malicious actors to operate without detection, potentially leading to data breaches, malware infections, or other harmful activities. This technique has been observed being used to disable security products such as Bitdefender, SentinelOne and ManageEngine Endpoint Central.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploit).\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003efltMC.exe\u003c/code\u003e with administrative privileges.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efltMC.exe\u003c/code\u003e attempts to unload a specific filter driver (minifilter).\u003c/li\u003e\n\u003cli\u003eThe operating system processes the request to unload the specified filter driver.\u003c/li\u003e\n\u003cli\u003eIf successful, the targeted minifilter is removed from the active filter stack.\u003c/li\u003e\n\u003cli\u003eSecurity software relying on the unloaded minifilter ceases to function correctly, leaving a security gap.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions, such as deploying malware or exfiltrating sensitive data, without the protection of the disabled filter driver.\u003c/li\u003e\n\u003cli\u003eAttacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to disable or circumvent security controls, increasing the likelihood of successful malware infections, data breaches, and other malicious activities. The scope of impact depends on the specific filter driver unloaded and the security products it supports. Disabling a critical EDR minifilter could leave the entire system vulnerable, while disabling a less critical filter might only impact a subset of security features.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efltMC.exe\u003c/code\u003e with the \u003ccode\u003eunload\u003c/code\u003e argument to identify potential evasion attempts (see Sigma rule \u0026ldquo;Potential Evasion via Filter Manager\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003efltMC.exe\u003c/code\u003e execution where the parent process is not a known and trusted system management tool.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the ability of users to execute \u003ccode\u003efltMC.exe\u003c/code\u003e or modify filter driver configurations.\u003c/li\u003e\n\u003cli\u003eReview the list of exclusions in the provided EQL query to identify any legitimate software that may be generating false positives.\u003c/li\u003e\n\u003cli\u003eEnsure that endpoint security solutions are properly configured and monitored to detect and prevent unauthorized filter driver modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-filter-manager-evasion/","summary":"Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.","title":"Potential Defense Evasion via Filter Manager (fltMC.exe)","url":"https://feed.craftedsignal.io/briefs/2024-01-filter-manager-evasion/"}],"language":"en","title":"CraftedSignal Threat Feed — Endpoint Security","version":"https://jsonfeed.org/version/1.1"}