{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/office/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office","EdgeWebView","Acrobat DC"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe"],"content_html":"\u003cp\u003eThis detection identifies potential process injection attempts, specifically process hollowing, by monitoring process creation events followed by memory access from unknown regions. The rule focuses on processes spawned by Microsoft Office applications (winword.exe, excel.exe, outlook.exe, powerpnt.exe), scripting engines (cscript.exe, wscript.exe, mshta.exe), and command-line tools (cmd.exe, powershell.exe, rundll32.exe, regsvr32.exe, wmic.exe, cmstp.exe, msxsl.exe). The logic looks for a spawned process by one of these applications/tools, followed by a process access event for an unknown memory region by the parent process, indicating a potential code injection attempt. Attackers use process injection to hide malicious activity within legitimate processes, evading detection and hindering forensic analysis. This technique is a common tactic used to establish persistence, escalate privileges, or execute malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document or executes a script.\u003c/li\u003e\n\u003cli\u003eThe Microsoft Office application (e.g., winword.exe) or scripting engine (e.g., wscript.exe) starts as a parent process.\u003c/li\u003e\n\u003cli\u003eThe parent process creates a new child process (e.g., a legitimate system executable).\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the newly created child process\u0026rsquo;s memory, often overwriting legitimate code sections.\u003c/li\u003e\n\u003cli\u003eThe parent process accesses the child process\u0026rsquo;s memory from an unknown code region, indicating the injected code. Sysmon event ID 10 captures this access.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the child process, performing malicious actions.\u003c/li\u003e\n\u003cli\u003eThese actions can include establishing persistence, downloading additional malware, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to mask their malicious activities within legitimate processes, making detection and attribution significantly harder. This can lead to prolonged infections, data breaches, and system compromise. The impact can range from individual workstation compromise to widespread organizational damage, depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role. The rule mitigates risks associated with advanced persistent threats (APTs) and commodity malware using process injection for defense evasion.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 10 (Process Access) to collect the necessary telemetry for this detection (\u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003eSysmon Event ID 1 - Process Creation\u003c/a\u003e, \u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003eSysmon Event ID 10 - Process Access\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Creation CallTrace\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious activities performed by the injected code.\u003c/li\u003e\n\u003cli\u003eConsider memory dumping the child process for further analysis, to examine if malicious code exists.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-suspicious-process-calltrace/","summary":"The rule identifies suspicious process creation where a process is created and immediately accessed from an unknown memory code region by the same parent process, indicating a potential code injection attempt, specifically process hollowing, commonly targeting processes spawned by Microsoft Office applications, scripting engines, and command-line tools for defense evasion.","title":"Suspicious Process Creation Followed by Memory Access from Unknown Region","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-process-calltrace/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Visual Studio","Office","Firefox","Windows","HP Support Assistant"],"_cs_severities":["low"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Hewlett-Packard","Mozilla","Google"],"content_html":"\u003cp\u003eAdversaries frequently leverage scheduled tasks in Windows to maintain persistence, elevate privileges, or facilitate lateral movement within a compromised network. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. The detection rule focuses on identifying the creation of new scheduled tasks logged in Windows event logs, filtering out tasks created by system accounts and those associated with legitimate software to minimize false positives. This detection is crucial because successful exploitation allows attackers to execute arbitrary commands or programs on a recurring basis, maintaining a foothold even after system reboots or user logoffs. Defenders need to monitor for anomalous task creation events to identify potential malicious activity. The rule references Microsoft Event ID 4698 as a key data source for detecting scheduled task creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system through phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges using exploits or by abusing misconfigurations to gain the necessary permissions to create scheduled tasks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTask Creation:\u003c/strong\u003e The attacker creates a new scheduled task using tools like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration:\u003c/strong\u003e The attacker configures the task to execute a malicious script or program at a specific time or event trigger.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The scheduled task is configured to run at regular intervals or upon system startup, ensuring persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e When the scheduled task triggers, the malicious payload executes, performing actions such as installing malware, stealing data, or establishing a command and control connection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (optional):\u003c/strong\u003e The attacker uses the compromised system and scheduled task to move laterally to other systems on the network, repeating the task creation process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via scheduled task creation can lead to persistent access within the compromised environment. The attacker can maintain a foothold even after system restarts, enabling them to perform data exfiltration, deploy ransomware, or cause other disruptive activities. While the risk score is relatively low, the potential for persistence makes this a critical area to monitor, especially in environments where lateral movement is a significant concern. The number of affected systems depends on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the necessary Windows Security Event Logs for detecting scheduled task creation (reference: setup instructions in the original rule).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious scheduled task creation events, and tune the rules by adding exclusions for known benign tasks in your environment.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the rule\u0026rsquo;s notes to triage alerts related to scheduled task creation, focusing on unfamiliar task names, unusual user accounts, and suspicious scheduled actions.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003ereferences\u003c/code\u003e URL to understand the specific details of Windows Event ID 4698, which is generated when a scheduled task is created.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-scheduled-task-creation/","summary":"Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.","title":"Windows Scheduled Task Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-02-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Security Event Logs","HPDeviceCheck","HP Support Assistant","HP Web Products Detection","Microsoft Visual Studio","OneDrive","Firefox","Office","Windows GroupPolicy"],"_cs_severities":["medium"],"_cs_tags":["persistence","scheduled_task","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Hewlett-Packard","Microsoft","Google","Mozilla"],"content_html":"\u003cp\u003eAdversaries frequently abuse Windows scheduled tasks to establish persistence, move laterally within a network, and escalate privileges. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or in response to certain events. This detection rule identifies suspicious task creation by filtering out benign tasks and those initiated by system accounts, focusing on potential threats. The rule relies on Windows Security Event Logs, offering a valuable method for identifying unauthorized task creation indicative of malicious activity. The detection logic specifically excludes common tasks associated with software updates from vendors like Hewlett-Packard, Microsoft, Google, and Mozilla, as well as tasks run by system accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their initial access to execute commands, potentially leveraging PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eschtasks\u003c/code\u003e command-line utility or the COM interface to create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload, such as a reverse shell or a data exfiltration script.\u003c/li\u003e\n\u003cli\u003eThe task is set to trigger based on a specific schedule, such as at system startup, at a specific time, or upon a specific event.\u003c/li\u003e\n\u003cli\u003eWhen the trigger occurs, the scheduled task executes the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes persistence, allowing the attacker to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the persistent access to move laterally to other systems or to exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to maintain persistent access to compromised systems, potentially leading to data theft, system disruption, or further lateral movement within the network. By creating malicious scheduled tasks, attackers can ensure their code is executed even after a system reboot or user logoff. This can result in long-term compromise and significant damage to affected organizations. While the number of victims and specific sectors targeted are not detailed, the potential impact is broad due to the widespread use of Windows systems in enterprise environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logging and ensure that event ID 4698 (A scheduled task was created) is collected.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Scheduled Task Creation via Winlog\u0026rdquo; to your SIEM to detect potentially malicious scheduled task creation events.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the exclusion list in the Sigma rule to account for new benign scheduled tasks in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the task\u0026rsquo;s name, path, actions, and triggers to determine if they are suspicious.\u003c/li\u003e\n\u003cli\u003eMonitor for related suspicious activity, such as unusual process executions or network connections originating from the compromised system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-scheduled-task-creation/","summary":"This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.","title":"Detecting Suspicious Scheduled Task Creation in Windows","url":"https://feed.craftedsignal.io/briefs/2024-01-scheduled-task-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Office","version":"https://jsonfeed.org/version/1.1"}