Secure Endpoint — CraftedSignal Threat Feed

Cisco Secure Endpoint Uninstallation via SFC Utility

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The System File Checker (sfc.exe) is a Windows utility used to scan and restore corrupted system files. However, it can also be abused to uninstall components of security software. This detection focuses on the use of sfc.exe with the -u parameter, a legitimate but potentially malicious use case related to Cisco Secure Endpoint. An attacker might leverage this command to remove or disable parts of the endpoint protection suite, creating an opportunity to deploy malware, exfiltrate data, or perform other malicious activities without immediate detection. This type of tampering aims to weaken defenses before a more significant attack. This activity is often part of a broader effort to disable security mechanisms to avoid detection.

Attack Chain

Initial access to the system is achieved through unspecified means (e.g., compromised credentials, software vulnerability).
The attacker gains elevated privileges on the compromised system.
The attacker executes sfc.exe with the -u parameter to attempt to uninstall the Cisco Secure Endpoint Immunet service.
sfc.exe attempts to uninstall the specified Cisco Secure Endpoint component.
If successful, the targeted component of Cisco Secure Endpoint is disabled or removed from the system.
The attacker leverages the weakened state of the endpoint security to deploy malware or perform other malicious activities.
The attacker attempts to move laterally within the network.
The attacker exfiltrates sensitive data from the compromised system or network.

Impact

Successful execution of this attack can lead to the complete removal or disabling of Cisco Secure Endpoint protection on a targeted system. This leaves the system vulnerable to malware infection, data exfiltration, and other malicious activities. The impact can range from individual system compromise to a widespread breach affecting numerous endpoints within an organization, leading to significant data loss and operational disruption.

Recommendation

Deploy the Sigma rule Detect Cisco Secure Endpoint Uninstall via SFC to your SIEM and tune for your environment.
Monitor process execution logs for instances of sfc.exe being used with the -u parameter, as highlighted in the Sigma rule and the search field in the provided source.
Investigate any detected instances of this behavior to determine if they are legitimate or malicious, per the known_false_positives from the original source.
Implement strict access controls to limit the ability of users to execute system utilities like sfc.exe.
Enable Sysmon process-creation logging to activate the rules above.

Cisco Secure Endpoint Tampering via SFC Utility

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This analytic focuses on detecting the misuse of the System File Checker (sfc.exe) utility with the -unblock parameter, a specific feature integrated within Cisco Secure Endpoint. This functionality is designed to remove system-level blocks that Cisco Secure Endpoint imposes on files or processes identified as potentially malicious. While legitimate use cases exist for troubleshooting and resolving false positives, adversaries can exploit this command to bypass endpoint protection mechanisms. By unblocking files, attackers can facilitate the execution of malware, evade detection, and maintain persistence within the compromised environment. The targeted use of sfc.exe -unblock is a significant indicator of potential security solution tampering.

Attack Chain

An attacker gains initial access to a compromised endpoint, possibly through phishing or exploiting a software vulnerability.
The attacker identifies a file or process blocked by Cisco Secure Endpoint.
The attacker elevates privileges to execute commands with administrative rights.
The attacker uses the sfc.exe utility with the -unblock parameter, specifying the blocked file’s path as an argument: sfc.exe /UNBLOCK=.
SFC removes the block imposed by Cisco Secure Endpoint on the specified file.
The attacker executes the previously blocked file, initiating the malicious payload.
The malicious payload performs actions such as establishing command and control, lateral movement, or data exfiltration.

Impact

Successful exploitation allows attackers to bypass Cisco Secure Endpoint’s protective measures, enabling the execution of blocked malware or tools. This can lead to a full system compromise, data theft, or disruption of services. The impact is especially severe if critical system files are unblocked, potentially destabilizing the operating system.

Recommendation

Deploy the Sigma rule Detect Cisco Secure Endpoint File Unblock via SFC to identify instances where sfc.exe is used with the -unblock parameter.
Investigate any identified instances of sfc.exe -unblock to determine if the action was legitimate and authorized.
Monitor process execution for any files unblocked via sfc.exe, and correlate with other security events to detect malicious activity.
Implement additional endpoint monitoring to detect suspicious activity following the use of sfc.exe -unblock.

Cisco Secure Endpoint Tampering via SFC Utility

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief addresses the potential tampering of Cisco Secure Endpoint’s Immunet Protect service. The technique involves leveraging the sfc.exe utility, a legitimate component within the Cisco Secure Endpoint installation, to stop the Immunet service. The abuse of sfc.exe with the -k parameter is a critical indicator, as it’s not a typical administrative function and signals a deliberate attempt to weaken endpoint defenses. This activity matters because a compromised endpoint with disabled security measures can lead to further exploitation, lateral movement, and data exfiltration. The technique was observed in the Splunk security content and can be detected via endpoint telemetry.

Attack Chain

Initial access is assumed to have been achieved via other means (e.g., phishing, exploit).
The attacker gains a foothold on the targeted endpoint.
The attacker identifies the presence of Cisco Secure Endpoint and Immunet Protect.
The attacker executes sfc.exe with the -k parameter, specifically targeting the Immunet Protect service.
The command execution stops the Immunet Protect service, effectively disabling real-time protection.
The attacker leverages the weakened security posture to deploy malware or execute malicious scripts.
The attacker attempts lateral movement to other systems on the network.
The attacker achieves their objective (e.g., data theft, ransomware deployment) without detection.

Impact

A successful attack can lead to the disabling of real-time protection offered by Immunet Protect, a component of Cisco Secure Endpoint. This allows attackers to bypass endpoint security measures and execute malicious code without detection. The impact may include data breaches, ransomware infections, and further compromise of systems within the network. The number of victims depends on the scope of the attacker’s lateral movement after initial compromise.

Recommendation

Deploy the Sigma rule “Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc” to your SIEM to detect the execution of sfc.exe with the -k parameter (see rules section).
Enable Sysmon process creation logging to capture command-line arguments for process monitoring and detection (see logsource).
Investigate any instances of sfc.exe execution with the -k parameter, especially when originating from unusual parent processes or locations.
Implement strict process whitelisting to prevent unauthorized execution of sfc.exe from non-standard paths.
Monitor for unusual process behavior following the execution of sfc.exe, such as the creation of suspicious files or network connections.