{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/secure-endpoint/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Endpoint","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["security-solution-tampering","endpoint","windows"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThe System File Checker (sfc.exe) is a Windows utility used to scan and restore corrupted system files. However, it can also be abused to uninstall components of security software. This detection focuses on the use of \u003ccode\u003esfc.exe\u003c/code\u003e with the \u003ccode\u003e-u\u003c/code\u003e parameter, a legitimate but potentially malicious use case related to Cisco Secure Endpoint. An attacker might leverage this command to remove or disable parts of the endpoint protection suite, creating an opportunity to deploy malware, exfiltrate data, or perform other malicious activities without immediate detection. This type of tampering aims to weaken defenses before a more significant attack. This activity is often part of a broader effort to disable security mechanisms to avoid detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system is achieved through unspecified means (e.g., compromised credentials, software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esfc.exe\u003c/code\u003e with the \u003ccode\u003e-u\u003c/code\u003e parameter to attempt to uninstall the Cisco Secure Endpoint Immunet service.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esfc.exe\u003c/code\u003e attempts to uninstall the specified Cisco Secure Endpoint component.\u003c/li\u003e\n\u003cli\u003eIf successful, the targeted component of Cisco Secure Endpoint is disabled or removed from the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the weakened state of the endpoint security to deploy malware or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to the complete removal or disabling of Cisco Secure Endpoint protection on a targeted system. This leaves the system vulnerable to malware infection, data exfiltration, and other malicious activities. The impact can range from individual system compromise to a widespread breach affecting numerous endpoints within an organization, leading to significant data loss and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Cisco Secure Endpoint Uninstall via SFC\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for instances of \u003ccode\u003esfc.exe\u003c/code\u003e being used with the \u003ccode\u003e-u\u003c/code\u003e parameter, as highlighted in the Sigma rule and the \u003ccode\u003esearch\u003c/code\u003e field in the provided source.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of this behavior to determine if they are legitimate or malicious, per the \u003ccode\u003eknown_false_positives\u003c/code\u003e from the original source.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the ability of users to execute system utilities like \u003ccode\u003esfc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cisco-secure-endpoint-uninstall/","summary":"The sfc.exe utility is used with the \"-u\" parameter to uninstall Cisco Secure Endpoint components, potentially disabling endpoint protection and facilitating further exploitation.","title":"Cisco Secure Endpoint Uninstallation via SFC Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-secure-endpoint-uninstall/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Endpoint","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","endpoint","cisco"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis analytic focuses on detecting the misuse of the System File Checker (sfc.exe) utility with the \u003ccode\u003e-unblock\u003c/code\u003e parameter, a specific feature integrated within Cisco Secure Endpoint. This functionality is designed to remove system-level blocks that Cisco Secure Endpoint imposes on files or processes identified as potentially malicious. While legitimate use cases exist for troubleshooting and resolving false positives, adversaries can exploit this command to bypass endpoint protection mechanisms. By unblocking files, attackers can facilitate the execution of malware, evade detection, and maintain persistence within the compromised environment. The targeted use of \u003ccode\u003esfc.exe -unblock\u003c/code\u003e is a significant indicator of potential security solution tampering.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised endpoint, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a file or process blocked by Cisco Secure Endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to execute commands with administrative rights.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003esfc.exe\u003c/code\u003e utility with the \u003ccode\u003e-unblock\u003c/code\u003e parameter, specifying the blocked file\u0026rsquo;s path as an argument: \u003ccode\u003esfc.exe /UNBLOCK=\u0026lt;file_path\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSFC removes the block imposed by Cisco Secure Endpoint on the specified file.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the previously blocked file, initiating the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload performs actions such as establishing command and control, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Cisco Secure Endpoint\u0026rsquo;s protective measures, enabling the execution of blocked malware or tools. This can lead to a full system compromise, data theft, or disruption of services. The impact is especially severe if critical system files are unblocked, potentially destabilizing the operating system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Cisco Secure Endpoint File Unblock via SFC\u003c/code\u003e to identify instances where \u003ccode\u003esfc.exe\u003c/code\u003e is used with the \u003ccode\u003e-unblock\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003esfc.exe -unblock\u003c/code\u003e to determine if the action was legitimate and authorized.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for any files unblocked via \u003ccode\u003esfc.exe\u003c/code\u003e, and correlate with other security events to detect malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement additional endpoint monitoring to detect suspicious activity following the use of \u003ccode\u003esfc.exe -unblock\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cisco-secure-endpoint-sfc-unblock/","summary":"The sfc.exe utility is being used with the '-unblock' parameter, a feature within Cisco Secure Endpoint, to remove system blocks imposed by the endpoint protection, potentially indicating an attempt to bypass security measures and execute blocked malicious payloads.","title":"Cisco Secure Endpoint Tampering via SFC Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-secure-endpoint-sfc-unblock/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Endpoint","Immunet Protect"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","endpoint","cisco"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis threat brief addresses the potential tampering of Cisco Secure Endpoint\u0026rsquo;s Immunet Protect service. The technique involves leveraging the \u003ccode\u003esfc.exe\u003c/code\u003e utility, a legitimate component within the Cisco Secure Endpoint installation, to stop the Immunet service. The abuse of \u003ccode\u003esfc.exe\u003c/code\u003e with the \u003ccode\u003e-k\u003c/code\u003e parameter is a critical indicator, as it\u0026rsquo;s not a typical administrative function and signals a deliberate attempt to weaken endpoint defenses. This activity matters because a compromised endpoint with disabled security measures can lead to further exploitation, lateral movement, and data exfiltration. The technique was observed in the Splunk security content and can be detected via endpoint telemetry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is assumed to have been achieved via other means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the targeted endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the presence of Cisco Secure Endpoint and Immunet Protect.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esfc.exe\u003c/code\u003e with the \u003ccode\u003e-k\u003c/code\u003e parameter, specifically targeting the Immunet Protect service.\u003c/li\u003e\n\u003cli\u003eThe command execution stops the Immunet Protect service, effectively disabling real-time protection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the weakened security posture to deploy malware or execute malicious scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective (e.g., data theft, ransomware deployment) without detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the disabling of real-time protection offered by Immunet Protect, a component of Cisco Secure Endpoint. This allows attackers to bypass endpoint security measures and execute malicious code without detection. The impact may include data breaches, ransomware infections, and further compromise of systems within the network. The number of victims depends on the scope of the attacker\u0026rsquo;s lateral movement after initial compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003esfc.exe\u003c/code\u003e with the \u003ccode\u003e-k\u003c/code\u003e parameter (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments for process monitoring and detection (see logsource).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003esfc.exe\u003c/code\u003e execution with the \u003ccode\u003e-k\u003c/code\u003e parameter, especially when originating from unusual parent processes or locations.\u003c/li\u003e\n\u003cli\u003eImplement strict process whitelisting to prevent unauthorized execution of \u003ccode\u003esfc.exe\u003c/code\u003e from non-standard paths.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process behavior following the execution of \u003ccode\u003esfc.exe\u003c/code\u003e, such as the creation of suspicious files or network connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-cisco-secure-endpoint-tampering/","summary":"An attacker attempts to disable the Immunet Protect service of Cisco Secure Endpoint by leveraging the `sfc.exe` utility with the `-k` parameter, potentially blinding the EDR for further compromise.","title":"Cisco Secure Endpoint Tampering via SFC Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-secure-endpoint-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Secure Endpoint","version":"https://jsonfeed.org/version/1.1"}