{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-visual-studio/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Microsoft Visual Studio"],"_cs_severities":["medium"],"_cs_tags":["persistence","office","vsto"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can leverage Visual Studio Tools for Office (VSTO) add-ins to establish persistence within Microsoft Office applications. VSTO add-ins, designed to extend the functionality of Office applications, can be manipulated by threat actors to execute malicious code upon application startup. By modifying specific registry keys associated with VSTO add-ins, adversaries can ensure their code is loaded and executed each time an Office application is launched. This technique allows for covert and persistent access to compromised systems, enabling further malicious activities such as data exfiltration, lateral movement, or the deployment of additional payloads. The detection of this persistence mechanism is crucial for defenders to identify and mitigate potential compromises within their environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system via unspecified means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the registry keys associated with VSTO add-ins for Office applications (Outlook, Word, Excel, PowerPoint). These keys are typically located under \u003ccode\u003e\\Software\\Microsoft\\Office\\[Application]\\Addins\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to add or modify entries related to a malicious VSTO add-in. This involves setting the \u003ccode\u003eLoadBehavior\u003c/code\u003e value to \u003ccode\u003e3\u003c/code\u003e to ensure the add-in is loaded on startup.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious VSTO add-in files (DLLs) in a location accessible to the Office application.\u003c/li\u003e\n\u003cli\u003eThe attacker may also modify the \u003ccode\u003e\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\\u003c/code\u003e registry key to bypass security warnings related to unsigned add-ins.\u003c/li\u003e\n\u003cli\u003eThe user launches the targeted Office application (e.g., Outlook).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the malicious VSTO add-in based on the modified registry entries.\u003c/li\u003e\n\u003cli\u003eThe malicious VSTO add-in executes its payload, enabling the attacker to perform malicious activities on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistent code execution within Microsoft Office applications. This can lead to the compromise of sensitive data, the deployment of additional malware, and the establishment of a long-term foothold within the targeted environment. The scope of impact depends on the privileges of the user account and the capabilities of the malicious VSTO add-in. Since Office applications are commonly used, a successful attack could potentially affect a large number of users within an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Persistence Via Visual Studio Tools for Office\u003c/code\u003e to your SIEM to detect suspicious registry modifications related to VSTO add-ins.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications under the paths \u003ccode\u003e\\Software\\Microsoft\\Office\\Outlook\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Word\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Excel\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Powerpoint\\Addins\\\u003c/code\u003e, and \u003ccode\u003e\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\\u003c/code\u003e (see Sigma rule and references).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted VSTO add-ins.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit installed Office add-ins to identify and remove any suspicious or unauthorized extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vsto-persistence/","summary":"The Visual Studio Tools for Office (VSTO) add-ins can be abused by attackers to establish persistence in Microsoft Office applications by modifying registry keys.","title":"Persistence via Visual Studio Tools for Office (VSTO) Add-ins","url":"https://feed.craftedsignal.io/briefs/2024-01-vsto-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Security Event Logs","HPDeviceCheck","HP Support Assistant","HP Web Products Detection","Microsoft Visual Studio","OneDrive","Firefox","Office","Windows GroupPolicy"],"_cs_severities":["medium"],"_cs_tags":["persistence","scheduled_task","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Hewlett-Packard","Microsoft","Google","Mozilla"],"content_html":"\u003cp\u003eAdversaries frequently abuse Windows scheduled tasks to establish persistence, move laterally within a network, and escalate privileges. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or in response to certain events. This detection rule identifies suspicious task creation by filtering out benign tasks and those initiated by system accounts, focusing on potential threats. The rule relies on Windows Security Event Logs, offering a valuable method for identifying unauthorized task creation indicative of malicious activity. The detection logic specifically excludes common tasks associated with software updates from vendors like Hewlett-Packard, Microsoft, Google, and Mozilla, as well as tasks run by system accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their initial access to execute commands, potentially leveraging PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eschtasks\u003c/code\u003e command-line utility or the COM interface to create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload, such as a reverse shell or a data exfiltration script.\u003c/li\u003e\n\u003cli\u003eThe task is set to trigger based on a specific schedule, such as at system startup, at a specific time, or upon a specific event.\u003c/li\u003e\n\u003cli\u003eWhen the trigger occurs, the scheduled task executes the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes persistence, allowing the attacker to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the persistent access to move laterally to other systems or to exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to maintain persistent access to compromised systems, potentially leading to data theft, system disruption, or further lateral movement within the network. By creating malicious scheduled tasks, attackers can ensure their code is executed even after a system reboot or user logoff. This can result in long-term compromise and significant damage to affected organizations. While the number of victims and specific sectors targeted are not detailed, the potential impact is broad due to the widespread use of Windows systems in enterprise environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logging and ensure that event ID 4698 (A scheduled task was created) is collected.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Scheduled Task Creation via Winlog\u0026rdquo; to your SIEM to detect potentially malicious scheduled task creation events.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the exclusion list in the Sigma rule to account for new benign scheduled tasks in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the task\u0026rsquo;s name, path, actions, and triggers to determine if they are suspicious.\u003c/li\u003e\n\u003cli\u003eMonitor for related suspicious activity, such as unusual process executions or network connections originating from the compromised system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-scheduled-task-creation/","summary":"This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.","title":"Detecting Suspicious Scheduled Task Creation in Windows","url":"https://feed.craftedsignal.io/briefs/2024-01-scheduled-task-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Visual Studio","version":"https://jsonfeed.org/version/1.1"}