{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/obkio-agent/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows Defender Advanced Threat Protection","SupportAssistAgent","Obkio Agent","SolarWinds Agent","SecuraAgent"],"_cs_severities":["low"],"_cs_tags":["discovery","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Dell","Obkio","SolarWinds","Infraon Corp"],"content_html":"\u003cp\u003eThis detection rule identifies instances where the SYSTEM account is used to execute account discovery utilities, such as \u003ccode\u003ewhoami.exe\u003c/code\u003e and \u003ccode\u003enet1.exe\u003c/code\u003e. This behavior is commonly observed after an attacker has successfully achieved privilege escalation within a Windows environment, or after exploiting a web application. The rule is designed to detect post-exploitation discovery activity where an adversary attempts to gain situational awareness by enumerating accounts and system information using the elevated SYSTEM context. The rule leverages data from Elastic Defend and Sysmon Event ID 1 to identify these behaviors, helping defenders spot potential privilege escalation and lateral movement attempts. The original rule was created 2020/03/18 and updated 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through exploiting a vulnerability in a web application or through phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to the SYSTEM account, possibly by exploiting a local privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e via the SYSTEM account to enumerate user accounts and gather system information.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e process is spawned by a parent process such as a web server process (e.g., w3wp.exe) or a service process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered account information to plan further actions, such as lateral movement or credential theft.\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003enet1.exe\u003c/code\u003e to query domain information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained information to identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is often data exfiltration, deployment of ransomware, or further compromise of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Although this rule has low severity, the execution of discovery commands by the SYSTEM account can be a critical indicator of compromise. Early detection of such activity can prevent more severe damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect account discovery commands executed via the SYSTEM account and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the necessary data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process execution chain to identify the source of the SYSTEM account usage.\u003c/li\u003e\n\u003cli\u003eIf the process tree includes a web-application server process, investigate suspicious file creation or modification to assess for webshell backdoors.\u003c/li\u003e\n\u003cli\u003eReview and harden web application security to prevent initial access and privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-09-system-account-discovery/","summary":"The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.","title":"Account Discovery Command via SYSTEM Account","url":"https://feed.craftedsignal.io/briefs/2024-01-09-system-account-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed — Obkio Agent","version":"https://jsonfeed.org/version/1.1"}