{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/pdf24.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Pdf24.exe","version":"https://jsonfeed.org/version/1.1"}