https://feed.craftedsignal.io/products/onedrive/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 04 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/Thu, 04 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. This detection focuses on identifying connections from Windows hosts to a predefined list of commonly abused web services from processes running outside of typical program installation directories, indicating a potential C2 channel leveraging legitimate services. The rule aims to detect this behavior by monitoring network connections and DNS requests originating from unusual locations.

Attack Chain

1. Initial access is achieved via an unknown method (e.g., phishing, exploit).
2. Malware is installed on the victim’s system, likely outside typical program directories.
3. The malware establishes a DNS connection to a commonly abused web service (e.g., pastebin.com, raw.githubusercontent.com) to obscure C2 traffic.
4. The malware sends encrypted or encoded commands to the web service.
5. The web service acts as an intermediary, relaying the commands to the attacker’s C2 server.
6. The C2 server responds with instructions, which are then relayed back to the compromised host through the same web service.
7. The malware executes the received commands, potentially leading to data exfiltration, lateral movement, or other malicious activities.
8. The attacker maintains persistent access and control over the compromised system using the web service as a hidden C2 channel.

Impact

Successful exploitation can lead to data theft, system compromise, and further propagation within the network. Since commonly used web services are utilized, the malicious activity can blend in with legitimate network traffic, making it difficult to detect. The impact can range from minor data breaches to complete network compromise, depending on the attacker’s objectives and the level of access gained.

Recommendation

• Deploy the Sigma rule Detect Commonly Abused Web Services via DNS to your SIEM to identify suspicious DNS queries to known C2 web services originating from anomalous processes.
• Enable DNS query logging on Windows endpoints to provide the data source required for the Sigma rule.
• Review network connection logs for processes outside standard installation directories communicating with domains listed in the query section of the Sigma rule to identify potential C2 activity.
• Implement network segmentation to limit the potential impact of compromised hosts.

]]>mediumadvisorycommand-and-controlwindowsthreat-detectionhttps://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.This detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.

Attack Chain

1. A user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).
2. The malicious file executes a process outside of typical program directories (e.g., C:\Windows\Temp).
3. This process initiates a DNS query to a domain associated with a commonly abused web service (e.g., pastebin.com, githubusercontent.com).
4. The DNS query resolves to an IP address, and a network connection is established to the web service.
5. The malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.
6. The web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.
7. The attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.

Impact

A successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.

Recommendation

• Deploy the Sigma rule “Connection to Commonly Abused Web Services” to your SIEM and tune it for your environment to minimize false positives.
• Enable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the “DNS Query to Commonly Abused Web Services” rule.
• Investigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.
• Review and update the list of excluded processes in the Sigma rule to reflect your organization’s approved software and reduce false positives.

]]>lowadvisorycommand-and-controlwebservicewindowshttps://feed.craftedsignal.io/briefs/2024-01-02-scheduled-task-creation/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-scheduled-task-creation/Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.Adversaries frequently leverage scheduled tasks in Windows to maintain persistence, elevate privileges, or facilitate lateral movement within a compromised network. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. The detection rule focuses on identifying the creation of new scheduled tasks logged in Windows event logs, filtering out tasks created by system accounts and those associated with legitimate software to minimize false positives. This detection is crucial because successful exploitation allows attackers to execute arbitrary commands or programs on a recurring basis, maintaining a foothold even after system reboots or user logoffs. Defenders need to monitor for anomalous task creation events to identify potential malicious activity. The rule references Microsoft Event ID 4698 as a key data source for detecting scheduled task creation.

Attack Chain

1. Initial Access: An attacker gains initial access to the system through phishing, exploiting a vulnerability, or using compromised credentials.
2. Privilege Escalation (if needed): The attacker escalates privileges using exploits or by abusing misconfigurations to gain the necessary permissions to create scheduled tasks.
3. Task Creation: The attacker creates a new scheduled task using tools like schtasks.exe or PowerShell.
4. Configuration: The attacker configures the task to execute a malicious script or program at a specific time or event trigger.
5. Persistence: The scheduled task is configured to run at regular intervals or upon system startup, ensuring persistent access to the compromised system.
6. Execution: When the scheduled task triggers, the malicious payload executes, performing actions such as installing malware, stealing data, or establishing a command and control connection.
7. Lateral Movement (optional): The attacker uses the compromised system and scheduled task to move laterally to other systems on the network, repeating the task creation process.

Impact

Successful exploitation via scheduled task creation can lead to persistent access within the compromised environment. The attacker can maintain a foothold even after system restarts, enabling them to perform data exfiltration, deploy ransomware, or cause other disruptive activities. While the risk score is relatively low, the potential for persistence makes this a critical area to monitor, especially in environments where lateral movement is a significant concern. The number of affected systems depends on the scope of the initial compromise and the attacker’s ability to move laterally.

Recommendation

• Enable “Audit Other Object Access Events” to generate the necessary Windows Security Event Logs for detecting scheduled task creation (reference: setup instructions in the original rule).
• Deploy the provided Sigma rules to your SIEM to detect suspicious scheduled task creation events, and tune the rules by adding exclusions for known benign tasks in your environment.
• Review the investigation steps outlined in the rule’s notes to triage alerts related to scheduled task creation, focusing on unfamiliar task names, unusual user accounts, and suspicious scheduled actions.
• Use the references URL to understand the specific details of Windows Event ID 4698, which is generated when a scheduled task is created.

]]>lowadvisorypersistencescheduled-taskwindowshttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.Attackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim’s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.

Attack Chain

1. The user visits a compromised website or clicks on a malicious advertisement.
2. The user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.
3. The downloaded executable is placed in the user’s Downloads folder (e.g., C:\Users*\Downloads*).
4. The user executes the downloaded file.
5. The executable, lacking a valid code signature, begins execution.
6. The malicious installer may drop and execute additional malware components.
7. The malware establishes persistence, potentially using techniques such as registry key modification.
8. The malware performs malicious activities, such as data exfiltration or lateral movement.

Impact

Successful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.

Recommendation

• Implement the Sigma rule Potential Masquerading as Business App Installer to detect unsigned executables resembling legitimate business applications in download directories.
• Enable process creation logging to capture the execution of unsigned executables.
• Educate users on the risks of downloading and executing files from untrusted sources.
• Implement application whitelisting to restrict the execution of unauthorized applications.
• Regularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.
• Monitor process execution events for processes originating from the Downloads folder that lack valid code signatures.

]]>mediumadvisorymasqueradingdefense-evasioninitial-accessmalwarewindowshttps://feed.craftedsignal.io/briefs/2024-01-scheduled-task-creation/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-scheduled-task-creation/This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.Adversaries frequently abuse Windows scheduled tasks to establish persistence, move laterally within a network, and escalate privileges. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or in response to certain events. This detection rule identifies suspicious task creation by filtering out benign tasks and those initiated by system accounts, focusing on potential threats. The rule relies on Windows Security Event Logs, offering a valuable method for identifying unauthorized task creation indicative of malicious activity. The detection logic specifically excludes common tasks associated with software updates from vendors like Hewlett-Packard, Microsoft, Google, and Mozilla, as well as tasks run by system accounts.

Attack Chain

1. An attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.
2. The attacker uses their initial access to execute commands, potentially leveraging PowerShell or cmd.exe.
3. The attacker uses the schtasks command-line utility or the COM interface to create a new scheduled task.
4. The scheduled task is configured to execute a malicious payload, such as a reverse shell or a data exfiltration script.
5. The task is set to trigger based on a specific schedule, such as at system startup, at a specific time, or upon a specific event.
6. When the trigger occurs, the scheduled task executes the malicious payload.
7. The malicious payload establishes persistence, allowing the attacker to maintain access to the compromised system.
8. The attacker can then use the persistent access to move laterally to other systems or to exfiltrate sensitive data.

Impact

Successful exploitation allows adversaries to maintain persistent access to compromised systems, potentially leading to data theft, system disruption, or further lateral movement within the network. By creating malicious scheduled tasks, attackers can ensure their code is executed even after a system reboot or user logoff. This can result in long-term compromise and significant damage to affected organizations. While the number of victims and specific sectors targeted are not detailed, the potential impact is broad due to the widespread use of Windows systems in enterprise environments.

Recommendation

• Enable Windows Security Event Logging and ensure that event ID 4698 (A scheduled task was created) is collected.
• Deploy the Sigma rule “Suspicious Scheduled Task Creation via Winlog” to your SIEM to detect potentially malicious scheduled task creation events.
• Regularly review and update the exclusion list in the Sigma rule to account for new benign scheduled tasks in your environment.
• Investigate any alerts generated by the Sigma rule by examining the task’s name, path, actions, and triggers to determine if they are suspicious.
• Monitor for related suspicious activity, such as unusual process executions or network connections originating from the compromised system.

]]>mediumadvisorypersistencescheduled_taskwindows