https://feed.craftedsignal.io/products/slack/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 31 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/Wed, 31 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.This detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.

Attack Chain

1. User launches a communication application (e.g., Slack, Teams, Webex).
2. The communication application executes a vulnerable or compromised component.
3. The compromised component spawns a child process (e.g., powershell.exe, cmd.exe).
4. The child process executes a malicious command or script.
5. The script attempts to download additional payloads from an external source.
6. The payload executes, establishing persistence through registry modification or scheduled tasks.
7. The attacker gains remote access to the system.
8. Data exfiltration or lateral movement within the network occurs.

Impact

A successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization’s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker’s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.

Recommendation

• Deploy the Sigma rule Suspicious Communication App Child Process to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.
• Enable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: process_creation, product: windows).
• Investigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.
• Implement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.
• Ensure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.
• Examine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.

]]>mediumadvisorydefense-evasionpersistencewindowshttps://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/Thu, 04 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. This detection focuses on identifying connections from Windows hosts to a predefined list of commonly abused web services from processes running outside of typical program installation directories, indicating a potential C2 channel leveraging legitimate services. The rule aims to detect this behavior by monitoring network connections and DNS requests originating from unusual locations.

Attack Chain

1. Initial access is achieved via an unknown method (e.g., phishing, exploit).
2. Malware is installed on the victim’s system, likely outside typical program directories.
3. The malware establishes a DNS connection to a commonly abused web service (e.g., pastebin.com, raw.githubusercontent.com) to obscure C2 traffic.
4. The malware sends encrypted or encoded commands to the web service.
5. The web service acts as an intermediary, relaying the commands to the attacker’s C2 server.
6. The C2 server responds with instructions, which are then relayed back to the compromised host through the same web service.
7. The malware executes the received commands, potentially leading to data exfiltration, lateral movement, or other malicious activities.
8. The attacker maintains persistent access and control over the compromised system using the web service as a hidden C2 channel.

Impact

Successful exploitation can lead to data theft, system compromise, and further propagation within the network. Since commonly used web services are utilized, the malicious activity can blend in with legitimate network traffic, making it difficult to detect. The impact can range from minor data breaches to complete network compromise, depending on the attacker’s objectives and the level of access gained.

Recommendation

• Deploy the Sigma rule Detect Commonly Abused Web Services via DNS to your SIEM to identify suspicious DNS queries to known C2 web services originating from anomalous processes.
• Enable DNS query logging on Windows endpoints to provide the data source required for the Sigma rule.
• Review network connection logs for processes outside standard installation directories communicating with domains listed in the query section of the Sigma rule to identify potential C2 activity.
• Implement network segmentation to limit the potential impact of compromised hosts.

]]>mediumadvisorycommand-and-controlwindowsthreat-detectionhttps://feed.craftedsignal.io/briefs/2024-01-03-unusual-mozglue-load/Wed, 03 Jan 2024 14:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-unusual-mozglue-load/Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.This brief focuses on detecting anomalous loading of Mozilla NSS (Network Security Services) and Mozglue libraries (specifically mozglue.dll and nss3.dll) by processes other than known Mozilla applications like Firefox and Thunderbird. The technique leverages Windows Sysmon Event ID 7 (ImageLoaded) to identify such instances. This activity is flagged as suspicious because legitimate software rarely loads these libraries outside of the intended Mozilla ecosystem. Attackers may attempt to load these libraries into other processes to perform malicious actions such as code injection, data exfiltration, or credential theft, while masquerading as legitimate software. This detection is crucial for identifying potentially compromised systems and preventing further damage.

Attack Chain

1. Initial Access: An attacker gains initial access to the system, possibly through phishing, exploiting a vulnerability, or using stolen credentials.
2. Persistence: The attacker establishes persistence on the system, ensuring continued access even after a reboot. This may involve creating scheduled tasks or modifying registry keys.
3. Privilege Escalation: The attacker elevates privileges to gain higher-level access to the system. This can be achieved through exploiting kernel vulnerabilities or misconfigured services.
4. Malware Installation: The attacker deploys malware or malicious tools onto the compromised system. This may involve downloading executables or scripts from a remote server.
5. Code Injection: The attacker injects malicious code into a legitimate process. This is often done to evade detection and execute malicious commands in a trusted context. In this scenario, the injected code might leverage Mozilla NSS/Mozglue libraries.
6. Credential Theft: The injected code attempts to steal credentials stored on the system. This may involve accessing LSASS memory or extracting credentials from web browsers.
7. Data Exfiltration: The attacker exfiltrates sensitive data from the compromised system. This may involve compressing data and transferring it to a remote server using protocols like HTTP or FTP.
8. Lateral Movement/Impact: Using stolen credentials or the compromised system as a pivot, the attacker moves laterally within the network to compromise additional systems, or achieves their ultimate objective, such as ransomware deployment or intellectual property theft.

Impact

Successful exploitation and anomalous loading of Mozilla libraries can lead to significant damage, including data breaches, financial loss, and reputational damage. Stolen credentials can be used to access sensitive systems and data, while injected code can disrupt critical business processes. The scope can range from individual workstations to entire networks, depending on the attacker’s objectives and level of access. The detection helps prevent credential theft, data exfiltration, and lateral movement.

Recommendation

• Enable Sysmon Event ID 7 (ImageLoaded) logging on all Windows endpoints to ensure visibility into loaded modules (reference: data_source).
• Deploy the Sigma rule Unusual Mozilla NSS/Mozglue Module Load by Non-Mozilla Process to your SIEM and tune the process exceptions for your environment (reference: rules).
• Investigate any instances where Mozilla NSS/Mozglue libraries are loaded by processes not explicitly allowed in the exception list to determine if malicious activity is occurring (reference: search).
• Correlate detections of unusual Mozilla library loading with other suspicious activity, such as network connections to known malicious domains or the execution of unusual processes, to identify potential compromises (reference: tags).
• Review and update the list of legitimate applications that may load Mozilla NSS/Mozglue libraries in your environment to reduce false positives (reference: known_false_positives).

]]>highadvisorydefense-evasionanomalywindowshttps://feed.craftedsignal.io/briefs/2024-01-masquerading-communication-apps/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-masquerading-communication-apps/Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications. This involves using names and icons that resemble trusted applications like Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird to trick users and bypass security measures. This technique can be used to conceal malicious activity, bypass allowlists, or trick users into executing malware. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures, which helps in flagging potential threats that mimic trusted communication tools.

Attack Chain

1. An attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.
2. The attacker deploys a malicious executable onto the compromised system.
3. The attacker renames the malicious executable to resemble a legitimate communication application, such as “slack.exe” or “Teams.exe”.
4. The attacker modifies or removes the code signature of the malicious executable to avoid detection based on trusted publishers.
5. The attacker executes the renamed and potentially unsigned malicious executable.
6. The masqueraded process performs malicious actions, such as establishing a reverse shell or downloading additional payloads.
7. The attacker uses the compromised system to move laterally within the network, escalating privileges and compromising additional systems.
8. The final objective is to exfiltrate sensitive data or deploy ransomware.

Impact

Successful masquerading attacks can lead to significant security breaches, including data theft, system compromise, and financial loss. By disguising malicious processes as legitimate communication apps, attackers can bypass security controls and operate undetected for extended periods. This can result in widespread damage and disruption, as well as reputational damage for the targeted organization. The impact can range from a few compromised systems to a complete network takeover, depending on the attacker’s objectives and the effectiveness of the masquerading technique.

Recommendation

• Deploy the Sigma rule “Potential Masquerading as Communication Apps - Generic” to your SIEM and tune for your environment to detect unsigned or improperly signed communication applications.
• Deploy the Sigma rule “Potential Masquerading as Communication Apps - Specific” to your SIEM and tune for your environment to detect unsigned or improperly signed instances of specific communication applications.
• Enable process creation logging on Windows systems to capture the necessary events for the Sigma rules.
• Review and validate the code signatures of all communication apps on your systems to ensure they are properly signed by trusted entities.
• Implement application control policies to restrict the execution of unsigned or untrusted executables.

]]>mediumadvisorydefense-evasionmasqueradingwindowshttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.Attackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim’s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.

Attack Chain

1. The user visits a compromised website or clicks on a malicious advertisement.
2. The user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.
3. The downloaded executable is placed in the user’s Downloads folder (e.g., C:\Users*\Downloads*).
4. The user executes the downloaded file.
5. The executable, lacking a valid code signature, begins execution.
6. The malicious installer may drop and execute additional malware components.
7. The malware establishes persistence, potentially using techniques such as registry key modification.
8. The malware performs malicious activities, such as data exfiltration or lateral movement.

Impact

Successful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.

Recommendation

• Implement the Sigma rule Potential Masquerading as Business App Installer to detect unsigned executables resembling legitimate business applications in download directories.
• Enable process creation logging to capture the execution of unsigned executables.
• Educate users on the risks of downloading and executing files from untrusted sources.
• Implement application whitelisting to restrict the execution of unauthorized applications.
• Regularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.
• Monitor process execution events for processes originating from the Downloads folder that lack valid code signatures.

]]>mediumadvisorymasqueradingdefense-evasioninitial-accessmalwarewindows