{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/sccm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["HPWBEM","SCCM","Windows Management Instrumentation",".NET Framework"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wmi","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","HP","Nessus"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of lateral movement within a Windows environment via Windows Management Instrumentation (WMI). WMI, a core Windows feature, is often exploited by adversaries to remotely execute processes, bypassing traditional security measures. This activity is detected by monitoring network connections and process executions, while filtering out common false positives associated with legitimate administrative use, security tools, and system processes. The goal is to highlight potential threats indicative of unauthorized lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to initiate a connection to a remote host on port 135.\u003c/li\u003e\n\u003cli\u003eThe svchost.exe process on the target host accepts an incoming RPC connection from the attacker-controlled system.\u003c/li\u003e\n\u003cli\u003eWmiPrvSE.exe, the WMI provider host process, spawns a new process based on the attacker\u0026rsquo;s WMI command.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes the attacker\u0026rsquo;s payload or command on the remote host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed process for further actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and lateral movement via WMI can lead to unauthorized access to sensitive data, compromise of critical systems, and propagation of malware throughout the network. While specific victim counts or sector targeting data are unavailable, the broad applicability of WMI across Windows environments makes this a relevant threat for a wide range of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide necessary data for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious WMI activity and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eReview and create exceptions for known administrative accounts or specific IP addresses used by IT staff to reduce false positives, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eIsolate any affected host from the network to prevent further lateral movement if suspicious WMI activity is detected.\u003c/li\u003e\n\u003cli\u003eMonitor network connections with destination port 135 for unusual activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-wmi-lateral-movement/","summary":"Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.","title":"WMI Incoming Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-03-wmi-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SCCM"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Pella Corporation","AdminArsenal","ESET","Veeam"],"content_html":"\u003cp\u003eThis detection rule identifies the remote execution of Windows services over Remote Procedure Call (RPC), a technique often employed for lateral movement within a network. The rule focuses on correlating network connections initiated by \u003ccode\u003eservices.exe\u003c/code\u003e with subsequent child process creation events. While this activity can be a legitimate function of administrators using remote management tools, it also represents a potential attack vector. The rule aims to strike a balance between detecting malicious activity and minimizing false positives arising from routine administrative tasks. The detection logic is based on identifying network connections to \u003ccode\u003eservices.exe\u003c/code\u003e followed by the creation of child processes that are not commonly associated with legitimate service management. The rule requires the use of Elastic Defend or Sysmon for adequate logging coverage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the target system\u0026rsquo;s \u003ccode\u003eservices.exe\u003c/code\u003e process over RPC using a high port (\u0026gt;= 49152).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established RPC connection to create or start a new service on the remote system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservices.exe\u003c/code\u003e process on the remote system spawns a child process related to the newly created or started service.\u003c/li\u003e\n\u003cli\u003eThis new process executes the attacker\u0026rsquo;s payload, potentially granting further access or executing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly executed service for persistent access or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.\u003c/li\u003e\n\u003cli\u003eConsider excluding known remote management tools from triggering the detection by adding exceptions based on \u003ccode\u003eprocess.executable\u003c/code\u003e or \u003ccode\u003eprocess.args\u003c/code\u003e in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eMonitor the network for unusual RPC activity, especially connections to \u003ccode\u003eservices.exe\u003c/code\u003e from unexpected source IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-remote-service-execution/","summary":"Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.","title":"Remote Execution of Windows Services via RPC","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — SCCM","version":"https://jsonfeed.org/version/1.1"}