{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/sharepoint/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["SharePoint"],"_cs_severities":["medium"],"_cs_tags":["web-shell","persistence","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently deploy web shells to maintain persistence and execute arbitrary commands on compromised web servers. This rule identifies the creation of ASPX files, commonly used in Windows environments, within directories typically targeted for web shell deployment. The rule focuses on the \u0026ldquo;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026rdquo; path, a common location for web server extensions and potential web shell placements. By excluding legitimate processes such as msiexec.exe and psconfigui.exe, the rule aims to detect suspicious ASPX file creation events indicative of malicious activity. The detection logic helps defenders identify potential web shell installations, allowing for timely response and remediation to prevent further compromise. This activity has been observed in exploitation attempts targeting SharePoint servers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through exploiting a vulnerability in a web application or service running on the server (e.g., SharePoint).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised web application to upload a malicious ASPX file to a directory within the web server\u0026rsquo;s file system, specifically targeting locations like \u0026ldquo;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe uploaded ASPX file contains malicious code designed to provide the attacker with remote access and control over the server.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the ASPX file by sending a request to the web server, which processes the ASPX file and executes the embedded malicious code.\u003c/li\u003e\n\u003cli\u003eThe web shell allows the attacker to execute arbitrary commands on the server, potentially escalating privileges and moving laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to establish persistence on the compromised server, ensuring continued access even after the initial vulnerability is patched.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the web shell to exfiltrate sensitive data from the server or to deploy additional malware and tools.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful web shell deployment can lead to complete compromise of the affected server, potentially impacting numerous organizations. Attackers can use web shells to execute arbitrary code, steal sensitive data, and establish persistent access to internal networks. The impact includes data breaches, financial losses, and reputational damage. Successful exploitation of SharePoint vulnerabilities leading to web shell deployment has been observed in the wild.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Web Shell ASPX File Creation in Common Directories\u0026rdquo; to detect suspicious ASPX file creation events, filtering out legitimate processes to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to capture file creation events on Windows systems, which is a data source for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Web Shell ASPX File Creation in Common Directories\u0026rdquo; by examining the file path, creating process, and network activity around the time of the event.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting ASPX files in common web server directories, as referenced in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-12-14T14:30:00Z","date_published":"2024-12-14T14:30:00Z","id":"/briefs/2024-12-potential-web-shell-aspx-file-creation/","summary":"The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.","title":"Potential Web Shell ASPX File Creation","url":"https://feed.craftedsignal.io/briefs/2024-12-potential-web-shell-aspx-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Chrome","Brave","Opera","Discord","Slack","Microsoft 365","SharePoint"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Brave Software","Opera","Discord","Slack"],"content_html":"\u003cp\u003eAdversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. This detection focuses on identifying connections from Windows hosts to a predefined list of commonly abused web services from processes running outside of typical program installation directories, indicating a potential C2 channel leveraging legitimate services. The rule aims to detect this behavior by monitoring network connections and DNS requests originating from unusual locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved via an unknown method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eMalware is installed on the victim\u0026rsquo;s system, likely outside typical program directories.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a DNS connection to a commonly abused web service (e.g., pastebin.com, raw.githubusercontent.com) to obscure C2 traffic.\u003c/li\u003e\n\u003cli\u003eThe malware sends encrypted or encoded commands to the web service.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying the commands to the attacker\u0026rsquo;s C2 server.\u003c/li\u003e\n\u003cli\u003eThe C2 server responds with instructions, which are then relayed back to the compromised host through the same web service.\u003c/li\u003e\n\u003cli\u003eThe malware executes the received commands, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system using the web service as a hidden C2 channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to data theft, system compromise, and further propagation within the network. Since commonly used web services are utilized, the malicious activity can blend in with legitimate network traffic, making it difficult to detect. The impact can range from minor data breaches to complete network compromise, depending on the attacker\u0026rsquo;s objectives and the level of access gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Commonly Abused Web Services via DNS\u003c/code\u003e to your SIEM to identify suspicious DNS queries to known C2 web services originating from anomalous processes.\u003c/li\u003e\n\u003cli\u003eEnable DNS query logging on Windows endpoints to provide the data source required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for processes outside standard installation directories communicating with domains listed in the \u003ccode\u003equery\u003c/code\u003e section of the Sigma rule to identify potential C2 activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of compromised hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-04-c2-web-services/","summary":"This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.","title":"Detection of Command and Control Activity via Commonly Abused Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SharePoint"],"_cs_severities":["medium"],"_cs_tags":["soc","metrics","threat-hunting","detection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe National Cyber Security Centre (NCSC) blog post highlights the detrimental effects of using inappropriate metrics to evaluate SOC performance. Focusing on easily quantifiable metrics like \u0026rsquo;number of tickets processed\u0026rsquo;, \u0026rsquo;time taken to close a ticket\u0026rsquo;, \u0026rsquo;number of detection rules written\u0026rsquo;, and \u0026lsquo;volume of logs collected\u0026rsquo; can incentivize analysts to prioritize metric optimization over effective threat detection. These perverse incentives can lead to a high number of false positives, alert fatigue, and a failure to identify genuine security incidents. The blog emphasizes the importance of focusing on metrics that truly reflect a SOC\u0026rsquo;s efficacy in detecting and responding to attacks in a timely manner, using red and purple teaming to simulate attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis attack chain describes how an attacker might evade detection in a SOC environment using ineffective metrics.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Foothold:\u003c/strong\u003e An attacker gains initial access via a vulnerability or credential compromise. This is not directly measured by common SOC metrics.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e The attacker performs internal reconnaissance, such as \u003ccode\u003esearching for passwords in a SharePoint\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses discovered credentials to move laterally within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses sensitive data, potentially including intellectual property or personal information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration Preparation:\u003c/strong\u003e The attacker prepares the data for exfiltration, such as compressing or encrypting it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the data to an external server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access for future operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, which could be data theft, system disruption, or financial gain. The lack of focus on TTD/TTR means the breach goes unnoticed until significant damage is done.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe use of poor metrics can lead to a significant increase in dwell time, allowing attackers more time to achieve their objectives. Organizations may experience data breaches, financial losses, reputational damage, and regulatory fines. The NCSC observed SOCs with great potential rendered entirely ineffective through poor choice and application of metrics. If \u0026ldquo;time to close a ticket\u0026rdquo; is prioritized, analysts may quickly dismiss alerts as false positives, missing crucial indicators of a real attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement TTD/TTR as primary metrics to measure SOC effectiveness, using red/purple teaming to generate data.\u003c/li\u003e\n\u003cli\u003ePrioritize hypothesis-led threat hunting to proactively identify potential threats and improve detection capabilities.\u003c/li\u003e\n\u003cli\u003eEstablish and maintain hard thresholds for false positive rates to minimize alert fatigue and ensure analysts focus on genuine threats.\u003c/li\u003e\n\u003cli\u003eEvaluate and refine detection rules to maximize true positives and minimize false positives.\u003c/li\u003e\n\u003cli\u003eFocus on the value of collected logs rather than sheer volume to ensure relevant data is available for threat detection.\u003c/li\u003e\n\u003cli\u003eDevelop detection rules based on understanding likely attackers and their techniques mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-02-soc-metrics/","summary":"Poorly chosen performance metrics can significantly impair a SOC's ability to detect and respond to threats, leading to ineffective security operations and potential compromise.","title":"Impact of Poor Security Operation Center (SOC) Metrics","url":"https://feed.craftedsignal.io/briefs/2024-01-02-soc-metrics/"}],"language":"en","title":"CraftedSignal Threat Feed — SharePoint","version":"https://jsonfeed.org/version/1.1"}