{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/opera/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Microsoft Teams","Google Chrome","Mozilla Firefox","Opera","Cisco WebEx","Discord","WhatsApp","Zoom","Brave Browser","Slack","thunderbird.exe"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft","Google","Mozilla","Opera","Cisco","Discord","WhatsApp","Zoom","Brave"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches a communication application (e.g., Slack, Teams, Webex).\u003c/li\u003e\n\u003cli\u003eThe communication application executes a vulnerable or compromised component.\u003c/li\u003e\n\u003cli\u003eThe compromised component spawns a child process (e.g., powershell.exe, cmd.exe).\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or script.\u003c/li\u003e\n\u003cli\u003eThe script attempts to download additional payloads from an external source.\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the system.\u003c/li\u003e\n\u003cli\u003eData exfiltration or lateral movement within the network occurs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization\u0026rsquo;s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker\u0026rsquo;s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Communication App Child Process\u003c/code\u003e to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e, product: \u003ccode\u003ewindows\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eEnsure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eExamine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-suspicious-comm-app-child-process/","summary":"The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.","title":"Suspicious Child Processes from Communication Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Chrome","Brave","Opera","Discord","Slack","Microsoft 365","SharePoint"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Brave Software","Opera","Discord","Slack"],"content_html":"\u003cp\u003eAdversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. This detection focuses on identifying connections from Windows hosts to a predefined list of commonly abused web services from processes running outside of typical program installation directories, indicating a potential C2 channel leveraging legitimate services. The rule aims to detect this behavior by monitoring network connections and DNS requests originating from unusual locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved via an unknown method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eMalware is installed on the victim\u0026rsquo;s system, likely outside typical program directories.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a DNS connection to a commonly abused web service (e.g., pastebin.com, raw.githubusercontent.com) to obscure C2 traffic.\u003c/li\u003e\n\u003cli\u003eThe malware sends encrypted or encoded commands to the web service.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying the commands to the attacker\u0026rsquo;s C2 server.\u003c/li\u003e\n\u003cli\u003eThe C2 server responds with instructions, which are then relayed back to the compromised host through the same web service.\u003c/li\u003e\n\u003cli\u003eThe malware executes the received commands, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system using the web service as a hidden C2 channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to data theft, system compromise, and further propagation within the network. Since commonly used web services are utilized, the malicious activity can blend in with legitimate network traffic, making it difficult to detect. The impact can range from minor data breaches to complete network compromise, depending on the attacker\u0026rsquo;s objectives and the level of access gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Commonly Abused Web Services via DNS\u003c/code\u003e to your SIEM to identify suspicious DNS queries to known C2 web services originating from anomalous processes.\u003c/li\u003e\n\u003cli\u003eEnable DNS query logging on Windows endpoints to provide the data source required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for processes outside standard installation directories communicating with domains listed in the \u003ccode\u003equery\u003c/code\u003e section of the Sigma rule to identify potential C2 activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of compromised hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-04-c2-web-services/","summary":"This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.","title":"Detection of Command and Control Activity via Commonly Abused Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","OneDrive","Chrome","Opera","Fiddler","PowerToys","Vivaldi","Zen Browser","WaveBrowser","MicrosoftEdgeCP"],"_cs_severities":["low"],"_cs_tags":["command-and-control","webservice","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Google","BraveSoftware","Opera","Vivaldi","Wavesor Software","Discord","Telegram","Facebook","Trello","GitHub","Supabase"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malicious file executes a process outside of typical program directories (e.g., \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis process initiates a DNS query to a domain associated with a commonly abused web service (e.g., \u003ccode\u003epastebin.com\u003c/code\u003e, \u003ccode\u003egithubusercontent.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe DNS query resolves to an IP address, and a network connection is established to the web service.\u003c/li\u003e\n\u003cli\u003eThe malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Connection to Commonly Abused Web Services\u0026rdquo; to your SIEM and tune it for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the \u0026ldquo;DNS Query to Commonly Abused Web Services\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eReview and update the list of excluded processes in the Sigma rule to reflect your organization\u0026rsquo;s approved software and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-common-web-services-c2/","summary":"This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.","title":"Detection of Command and Control Activity via Common Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/"}],"language":"en","title":"CraftedSignal Threat Feed — Opera","version":"https://jsonfeed.org/version/1.1"}