https://feed.craftedsignal.io/products/sccm/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-wmi-lateral-movement/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-wmi-lateral-movement/Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.This threat brief focuses on the detection of lateral movement within a Windows environment via Windows Management Instrumentation (WMI). WMI, a core Windows feature, is often exploited by adversaries to remotely execute processes, bypassing traditional security measures. This activity is detected by monitoring network connections and process executions, while filtering out common false positives associated with legitimate administrative use, security tools, and system processes. The goal is to highlight potential threats indicative of unauthorized lateral movement.

Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker uses WMI to initiate a connection to a remote host on port 135.
3. The svchost.exe process on the target host accepts an incoming RPC connection from the attacker-controlled system.
4. WmiPrvSE.exe, the WMI provider host process, spawns a new process based on the attacker’s WMI command.
5. The spawned process executes the attacker’s payload or command on the remote host.
6. The attacker leverages the executed process for further actions, such as data exfiltration or establishing persistence.

Impact

Successful exploitation and lateral movement via WMI can lead to unauthorized access to sensitive data, compromise of critical systems, and propagation of malware throughout the network. While specific victim counts or sector targeting data are unavailable, the broad applicability of WMI across Windows environments makes this a relevant threat for a wide range of organizations.

Recommendation

• Enable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide necessary data for the rules below.
• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious WMI activity and tune them for your environment.
• Review and create exceptions for known administrative accounts or specific IP addresses used by IT staff to reduce false positives, as mentioned in the overview.
• Isolate any affected host from the network to prevent further lateral movement if suspicious WMI activity is detected.
• Monitor network connections with destination port 135 for unusual activity.

]]>mediumadvisorylateral-movementwmiwindowshttps://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/Tue, 02 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.This detection rule identifies the remote execution of Windows services over Remote Procedure Call (RPC), a technique often employed for lateral movement within a network. The rule focuses on correlating network connections initiated by services.exe with subsequent child process creation events. While this activity can be a legitimate function of administrators using remote management tools, it also represents a potential attack vector. The rule aims to strike a balance between detecting malicious activity and minimizing false positives arising from routine administrative tasks. The detection logic is based on identifying network connections to services.exe followed by the creation of child processes that are not commonly associated with legitimate service management. The rule requires the use of Elastic Defend or Sysmon for adequate logging coverage.

Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker attempts to move laterally to other systems.
3. The attacker establishes a connection to the target system’s services.exe process over RPC using a high port (>= 49152).
4. The attacker uses the established RPC connection to create or start a new service on the remote system.
5. The services.exe process on the remote system spawns a child process related to the newly created or started service.
6. This new process executes the attacker’s payload, potentially granting further access or executing malicious commands.
7. The attacker leverages the newly executed service for persistent access or further lateral movement.

Impact

A successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.

Recommendation

• Deploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.
• Enable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.
• Investigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.
• Consider excluding known remote management tools from triggering the detection by adding exceptions based on process.executable or process.args in the Sigma rules.
• Monitor the network for unusual RPC activity, especially connections to services.exe from unexpected source IPs.

]]>mediumadvisorylateral-movementexecutionwindows