MsMpEng.exe — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/msmpeng.exe/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 14:00:00 +0000Potential RemoteMonologue Attack via Registry Modificationhttps://feed.craftedsignal.io/briefs/2024-01-remotemonologue-regmod/Wed, 03 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-remotemonologue-regmod/This rule detects potential RemoteMonologue attacks by identifying attempts to perform session hijacking via COM object registry modification, specifically when the RunAs value is set to Interactive User.The RemoteMonologue attack technique abuses Component Object Model (COM) objects to coerce authentication from a remote system. This is achieved by modifying the RunAs registry value associated with a COM object. Setting this value to “Interactive User” forces the COM object to run under the context of the interactive user, enabling attackers to hijack sessions and potentially escalate privileges. This technique is often used as a defense evasion or persistence mechanism by adversaries after gaining initial access to a system. The attack involves modifying registry keys associated with COM objects to trigger NTLM authentication coercion. This can be used for lateral movement and gaining access to sensitive resources. This rule is designed to detect registry modifications indicative of the RemoteMonologue attack.

Attack Chain

  1. Initial Access: An attacker gains initial access to the target system through unspecified means.
  2. Identify COM Objects: The attacker identifies suitable COM objects for abuse.
  3. Modify Registry: The attacker modifies the registry to set the RunAs value for the selected COM object to Interactive User. This involves modifying the registry path HKCR\AppID\{Clsid}\RunAs.
  4. Trigger COM Object Execution: The attacker triggers the execution of the modified COM object, potentially through a remote procedure call or other inter-process communication mechanisms.
  5. Authentication Coercion: The execution of the COM object triggers NTLM authentication to a system controlled by the attacker.
  6. Relay Attack: The attacker relays the coerced NTLM authentication to gain access to other resources on the network.
  7. Session Hijacking: Successful relay leads to session hijacking, allowing the attacker to impersonate the user.
  8. Lateral Movement/Privilege Escalation: The attacker uses the hijacked session for lateral movement or privilege escalation within the network.

Impact

A successful RemoteMonologue attack can lead to unauthorized access to sensitive systems and data. By coercing authentication and hijacking sessions, attackers can bypass security controls and escalate their privileges within the network. The scope of the impact depends on the privileges of the hijacked user account and the resources accessible to that account. This attack can enable lateral movement, data exfiltration, and other malicious activities.

Recommendation

  • Deploy the Sigma rule Detect RemoteMonologue Registry Modification to your SIEM to identify suspicious registry modifications related to COM object hijacking.
  • Enable Sysmon registry event logging to capture the necessary data for the Sigma rules to function effectively.
  • Investigate any alerts generated by the Sigma rule by reviewing the registry event logs and identifying the user account and process responsible for the registry modification.
  • Implement enhanced monitoring on critical systems to detect any attempts to modify COM object registry settings.
  • Block the attack by ensuring “RunAs” value is not set to “Interactive User”.
]]>mediumadvisoryremotemonologuedefense-evasionpersistencewindows