{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/splunk-cloud/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ransomware","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers, particularly ransomware groups, often disable or manipulate event logs to cover their tracks and hinder forensic investigations. This activity typically occurs post-compromise as part of an attacker\u0026rsquo;s defense evasion strategy. The use of \u003ccode\u003ewevtutil.exe\u003c/code\u003e, a legitimate Windows command-line utility, makes this technique challenging to detect without specific monitoring. Ransomware actors disable logging to operate undetected, making it difficult for security teams to trace malicious activities and respond effectively. This can prolong the dwell time of the attacker within the environment and increase the potential for widespread damage, data exfiltration, or system encryption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through typical methods like phishing or exploiting public-facing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the compromised system, achieving initial foothold.\u003c/li\u003e\n\u003cli\u003ePrivilege escalation techniques are employed to gain elevated permissions (e.g., using exploits, token manipulation).\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewevtutil.exe\u003c/code\u003e with specific commands to disable or clear event logs. Example commands include \u003ccode\u003ewevtutil.exe sl \u0026lt;logname\u0026gt; false\u003c/code\u003e or \u003ccode\u003ewevtutil.exe set-log \u0026lt;logname\u0026gt; /enabled:false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker disables specific event channels to remove evidence of their activity.\u003c/li\u003e\n\u003cli\u003ePersistence mechanisms are established to maintain access across reboots (e.g., creating scheduled tasks, modifying registry keys).\u003c/li\u003e\n\u003cli\u003eLateral movement is initiated to compromise additional systems within the network using tools like PsExec or SMB shares.\u003c/li\u003e\n\u003cli\u003eThe final objective, such as ransomware deployment or data exfiltration, is executed, with logging disabled to minimize the chances of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of event logs allows attackers to operate undetected, hindering forensic investigations and incident response efforts. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage to affected organizations. Ransomware groups frequently use this technique to maximize the impact of their attacks, resulting in data encryption, exfiltration, and significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to detect the execution of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with suspicious parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect specific command-line arguments used to disable event logs.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security (4688) for process creation events of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with arguments related to disabling or clearing logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ewevtutil.exe\u003c/code\u003e is executed with parameters like \u003ccode\u003esl\u003c/code\u003e or \u003ccode\u003eset-log\u003c/code\u003e and \u003ccode\u003e/e:false\u003c/code\u003e or \u003ccode\u003e/enabled:false\u003c/code\u003e in the command line, as highlighted in the provided Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T16:30:00Z","date_published":"2024-01-04T16:30:00Z","id":"/briefs/2024-01-disable-logs-wevtutil/","summary":"The execution of `wevtutil.exe` with parameters to disable event logs is a tactic commonly employed by ransomware to evade detection and hinder forensic investigations, leading to a significant reduction in visibility for defenders.","title":"Detection of Wevtutil.exe Used to Disable Event Logs","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-logs-wevtutil/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the P/Invoke (Platform Invoke) technology to perform process injection. P/Invoke allows managed code (like PowerShell) to call unmanaged functions exported from DLLs, including critical Windows API functions. Attackers use this to inject malicious code into legitimate processes for evasion and persistence. The detection focuses on identifying specific API chains commonly used in process injection techniques, such as allocating memory in a target process (VirtualAlloc), writing malicious code into the allocated memory (WriteProcessMemory), and executing the injected code (CreateRemoteThread). This activity is often associated with malware deployment, privilege escalation, and defense evasion. The detection logic is designed to identify these API chains either at the compile phase using Add-Type or during the execution phase, alerting on suspicious PowerShell behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses Add-Type and DllImport to declare external functions from Windows DLLs, including kernel32.dll and ntdll.dll.\u003c/li\u003e\n\u003cli\u003eThe script uses functions such as OpenProcess to gain a handle to a target process.\u003c/li\u003e\n\u003cli\u003eVirtualAllocEx is called to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003eWriteProcessMemory is used to write malicious code into the allocated memory region of the target process.\u003c/li\u003e\n\u003cli\u003eCreateRemoteThread is called to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, achieving code execution and potential privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially gaining elevated privileges. This can lead to data theft, system compromise, or further propagation within the network. The use of PowerShell and P/Invoke makes detection more challenging, as the activity can blend in with legitimate system administration tasks. A successful attack could lead to the deployment of a VIP Keylogger or other malware, as noted in the provided references.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to provide the necessary data for detection (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell PInvoke Process Injection\u003c/code\u003e to your SIEM and tune the rule to your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific API chains identified in the \u003ccode\u003edetection\u003c/code\u003e section of the rule.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies and restrict the execution of unsigned scripts to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-powershell-pinvoke-process-injection/","summary":"This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.","title":"PowerShell P/Invoke Process Injection API Chain Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","cryptography","malware","asyncrat","xworm","vip keylogger"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting suspicious PowerShell activity involving the System.Security.Cryptography namespace, excluding common hashing algorithms like SHA and MD5. The detection leverages Windows PowerShell Script Block Logging (EventCode 4104) to identify scripts using cryptographic functions. This is significant because malware often uses cryptography to decrypt or decode additional malicious payloads, which can lead to further code execution, privilege escalation, or persistence within the compromised environment. The technique is commonly used by malware families like AsyncRAT, XWorm, and VIP Keylogger. Defenders should investigate the parent process of such scripts, the decrypted data, network connections established by the script, and the user context in which the script is executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes the \u003ccode\u003eSystem.Security.Cryptography\u003c/code\u003e namespace to perform cryptographic operations.\u003c/li\u003e\n\u003cli\u003eThe script decrypts or decodes a malicious payload (e.g., a second-stage executable or configuration file).\u003c/li\u003e\n\u003cli\u003eThe decrypted payload is written to disk or loaded directly into memory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decrypted payload, potentially establishing persistence via registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware leverages the established persistence mechanism for long-term access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions such as data exfiltration, lateral movement, or remote command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security measures by hiding malicious code within encrypted payloads. This can lead to data theft, system compromise, and further propagation within the network. Malware families like AsyncRAT, XWorm, and VIP Keylogger use this technique to maintain persistence and perform malicious activities undetected. The impact can range from individual workstation compromise to large-scale data breaches depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to generate the necessary logs (EventCode 4104) for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e to your SIEM to detect the described activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process, decrypted data, network connections, and the user executing the script.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e based on your environment\u0026rsquo;s specific needs and known-good PowerShell usage to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-powershell-cryptography/","summary":"The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.","title":"Suspicious PowerShell Script Using Cryptography Namespace","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-cryptography/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Firefox","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","malware","firefox"],"_cs_type":"advisory","_cs_vendors":["Mozilla","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying unauthorized access to Firefox profile directories. The Firefox profile directory stores sensitive user data, including login credentials, browsing history, and cookies. When a non-Firefox process accesses this directory, it could be an indicator of malicious activity, such as a Remote Access Trojan (RAT) or other malware attempting to steal user information. The analytic leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This is relevant because successful credential theft can lead to account compromise, data breaches, and further propagation of malware within the network. The threat encompasses a broad range of malware families, including stealers (Azorult, RedLine Stealer, 0bj3ctivity Stealer), RATs (Remcos, Quasar RAT, Warzone RAT), keyloggers (Snake Keylogger, VIP Keylogger), and other malware like DarkGate, NjRAT, AgentTesla, and Lokibot. The activity has been observed in campaigns such as CISA AA23-347A and the 3CX Supply Chain Attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user executes a malicious file, potentially delivered via phishing or drive-by download (not covered in source).\u003c/li\u003e\n\u003cli\u003eThe malicious file executes and establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to access the Firefox profile directory, located at \u003ccode\u003e*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWindows Security Event 4663 is generated, logging the access attempt to the Firefox profile directory.\u003c/li\u003e\n\u003cli\u003eThe malware reads sensitive data, such as login credentials, cookies, and browsing history, from the profile directory.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to user accounts and sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and credential theft can lead to a wide range of negative outcomes, including unauthorized access to sensitive data, financial fraud, and further compromise of systems within the organization. The impact can range from individual user account compromise to large-scale data breaches affecting thousands of users. Industries heavily reliant on web-based applications and sensitive user data, such as finance, healthcare, and e-commerce, are particularly vulnerable. The consequences include financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure it to log both success and failure events for object access to activate the underlying log source required for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect non-Firefox processes accessing Firefox profile directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the \u003ccode\u003eProcessName\u003c/code\u003e and \u003ccode\u003eObjectName\u003c/code\u003e to identify potentially malicious processes and the specific profile data being accessed.\u003c/li\u003e\n\u003cli\u003eReview and update your organization\u0026rsquo;s security policies to restrict unauthorized access to sensitive user data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:22:32Z","date_published":"2024-01-03T15:22:32Z","id":"/briefs/2024-01-firefox-profile-access/","summary":"This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.","title":"Non-Firefox Process Accessing Firefox Profile Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-firefox-profile-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["time-based-evasion","malware","persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of \u003ccode\u003echoice.exe\u003c/code\u003e being used within batch files as a time-delay tactic, a technique notably employed by the SnakeKeylogger malware. The analysis leverages data from Endpoint Detection and Response (EDR) agents, scrutinizing process names and command-line executions. This behavior is significant because it suggests the implementation of time-based evasion techniques designed to circumvent detection mechanisms. Successful evasion could enable attackers to execute malicious code covertly, remove incriminating files, and establish persistent access on compromised systems. The use of \u003ccode\u003echoice.exe\u003c/code\u003e for such purposes warrants immediate investigation by security operations center (SOC) analysts due to the potential for significant system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access via an unknown vector.\u003c/li\u003e\n\u003cli\u003eA batch script is executed on the target system.\u003c/li\u003e\n\u003cli\u003eThe batch script uses \u003ccode\u003echoice.exe\u003c/code\u003e with the \u003ccode\u003e/T\u003c/code\u003e and \u003ccode\u003e/N\u003c/code\u003e parameters to introduce a time delay. The \u003ccode\u003e/T\u003c/code\u003e parameter specifies a timeout period, and the \u003ccode\u003e/N\u003c/code\u003e parameter suppresses the display of choices.\u003c/li\u003e\n\u003cli\u003eThis delay allows the malware to evade time-sensitive detection mechanisms.\u003c/li\u003e\n\u003cli\u003eAfter the delay, the script executes further commands, potentially downloading and executing a payload.\u003c/li\u003e\n\u003cli\u003eThe payload executes, installing a keylogger such as SnakeKeylogger or 0bj3ctivity Stealer.\u003c/li\u003e\n\u003cli\u003eThe keylogger captures sensitive information such as keystrokes and clipboard data.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a remote server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data theft, intellectual property loss, and financial fraud. SnakeKeylogger and similar malware have been used to steal credentials and sensitive information from various targets. Successful exploitation could result in significant financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the attacker\u0026rsquo;s objectives and the compromised systems\u0026rsquo; value.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Choice.exe Time Delay\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003echoice.exe\u003c/code\u003e with time-delay parameters (log source: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003echoice.exe\u003c/code\u003e being used with the \u003ccode\u003e/T\u003c/code\u003e and \u003ccode\u003e/N\u003c/code\u003e parameters to determine if it is part of a malicious script.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted batch scripts to prevent the initial execution of the malicious code.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint activity for suspicious processes and network connections originating from systems where \u003ccode\u003echoice.exe\u003c/code\u003e has been detected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-time-based-evasion-choice/","summary":"Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.","title":"Windows Time-Based Evasion via Choice Exec","url":"https://feed.craftedsignal.io/briefs/2024-01-time-based-evasion-choice/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["McAfee","Splunk"],"content_html":"\u003cp\u003eThis analytic detects changes in a service\u0026rsquo;s security descriptor where a new deny ACE (Access Control Entry) has been added using \u003ccode\u003esc.exe\u003c/code\u003e. The \u003ccode\u003esc.exe\u003c/code\u003e utility is a command-line tool used for managing Windows services. Adversaries can use \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003esdset\u003c/code\u003e flag to modify the security descriptor of a service, adding a deny ACE to specific groups (e.g., Authenticated Users, Built-in Administrators, System). This can lead to privilege escalation by preventing legitimate administrators or services from managing the tampered service. The Sophos Glupteba report highlights similar techniques used for defense evasion. This activity is related to MITRE ATT\u0026amp;CK T1564.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eThe adversary identifies a target service with desirable characteristics for manipulation.\u003c/li\u003e\n\u003cli\u003eThe adversary executes \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003esdset\u003c/code\u003e command to modify the service\u0026rsquo;s security descriptor.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esdset\u003c/code\u003e command includes a new deny ACE targeting specific groups like \u0026ldquo;Authenticated Users\u0026rdquo; (\u003ccode\u003eIU\u003c/code\u003e), \u0026ldquo;Built-in Administrators\u0026rdquo; (\u003ccode\u003eBA\u003c/code\u003e), or \u0026ldquo;SYSTEM\u0026rdquo; (\u003ccode\u003eSY\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe new ACE denies specific permissions (e.g., service start, stop, modify) to the targeted groups.\u003c/li\u003e\n\u003cli\u003eLegitimate administrators or services are now unable to manage the tampered service due to the deny ACE.\u003c/li\u003e\n\u003cli\u003eThe adversary escalates privileges by exploiting the now-unmanaged service or disabling security products.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to hinder or disable critical security services and gain persistence on the compromised endpoint. By adding deny ACEs to service security descriptors, attackers can effectively blind defenses, prevent remediation efforts, and potentially escalate privileges by abusing the tampered service. This can lead to full system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments via Sysmon or Windows Event Logging (Security 4688) to capture \u003ccode\u003esc.exe\u003c/code\u003e executions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious sc.exe sdset Execution\u003c/code\u003e to identify suspicious \u003ccode\u003esc.exe\u003c/code\u003e commands modifying service security descriptors.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003esc.exe\u003c/code\u003e modifying service security descriptors, especially those targeting sensitive services or using the \u0026ldquo;sdset\u0026rdquo; command with deny ACEs.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rule by adding legitimate applications (e.g., McAfee products) to the filter list to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-service-sd-tampering/","summary":"Adversaries may modify service security descriptors to deny access to specific groups, potentially escalating privileges and hindering security services, by using sc.exe to set new deny ACEs (Access Control Entries) on Windows services.","title":"Windows Service Security Descriptor Tampering via sc.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-service-sd-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Network Visibility Module"],"_cs_severities":["high"],"_cs_tags":["endpoint","msiexec","remote-download","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Splunk"],"content_html":"\u003cp\u003eThe detection focuses on identifying instances where \u003ccode\u003emsiexec.exe\u003c/code\u003e is used with an HTTP or HTTPS URL in the command line. This behavior is indicative of an attempt to download and execute potentially malicious software from a remote server. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. The activity is often used to bypass traditional security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003emsiexec.exe\u003c/code\u003e, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.\u003c/li\u003e\n\u003cli\u003eThe command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e downloads the MSI package to the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe MSI package is executed, potentially installing malware, creating new files, or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe installed malware establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware initiates command and control (C2) communication to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of \u003ccode\u003emsiexec.exe\u003c/code\u003e for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from \u003ccode\u003emsiexec.exe\u003c/code\u003e to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003emsiexec.exe\u003c/code\u003e executing with command-line arguments containing HTTP or HTTPS URLs.\u003c/li\u003e\n\u003cli\u003eFilter false positives by destination or parent process as needed based on your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-msiexec-remote-download/","summary":"The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.","title":"Suspicious MSIExec Remote Download","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msiexec-remote-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["wscript","cscript","lolbin","malware","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Windows Script Host (WScript) or CScript. Adversaries commonly leverage WScript and CScript to execute malicious scripts, LOLBINs (Living Off The Land Binaries), and PowerShell, or inject code into suspended processes as a form of defense evasion. While some legitimate scripts may utilize tools detected by this analytic, it serves as a valuable indicator that a script may be executing suspicious code. Notably, the WhisperGate malware and campaigns by FIN7 have employed similar techniques. This activity has been observed since at least 2022, and continues to be relevant for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user (unknowingly or through social engineering) executes a malicious script.\u003c/li\u003e\n\u003cli\u003eThe malicious script is interpreted by either \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script executes a LOLBIN such as \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ewinhlp32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003emsbuild.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBIN executes further commands or downloads additional payloads. \u003ccode\u003eCertutil.exe\u003c/code\u003e may be used to decode and install malicious binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges and establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across various sectors are vulnerable, as this technique is commonly used by both commodity malware and advanced persistent threat (APT) groups. The WhisperGate malware targeting Ukrainian organizations in 2022 demonstrated the destructive potential of this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (4688) to capture process execution events necessary for the provided rules.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Child Processes Spawned by WScript or CScript\u003c/code\u003e to your SIEM to detect suspicious child processes. Tune the rule based on your environment\u0026rsquo;s baseline activity, filtering out any legitimate use cases.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the parent and child processes involved and the commands executed.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint logs for unusual or unexpected process executions originating from WScript or CScript.\u003c/li\u003e\n\u003cli\u003eBlock execution of the LOLBINs (\u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ewinhlp32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003emsbuild.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e) if they are not required in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-wscript-cscript-suspicious-child-process/","summary":"Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.","title":"Suspicious Child Processes Spawned by WScript or CScript","url":"https://feed.craftedsignal.io/briefs/2024-01-03-wscript-cscript-suspicious-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of the native Windows utility \u003ccode\u003eattrib.exe\u003c/code\u003e to hide files and directories. Attackers use this technique to conceal malicious payloads, tools, or command-and-control infrastructure from both users and security software. By setting the hidden attribute (+h flag), attackers make it more difficult to detect their presence and maintain persistence on compromised systems. This activity is typically observed post-exploitation and can be indicative of more advanced persistent threats. The detection specifically looks for \u003ccode\u003eattrib.exe\u003c/code\u003e command-line arguments including the \u0026ldquo;+h\u0026rdquo; flag. While legitimate uses of \u003ccode\u003eattrib.exe\u003c/code\u003e exist, the use of the \u0026lsquo;+h\u0026rsquo; flag, particularly in sensitive directories, should be investigated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, often through phishing, exploiting a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates malicious files (e.g., backdoors, scripts) on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eattrib.exe\u003c/code\u003e with the \u0026ldquo;+h\u0026rdquo; flag to hide these malicious files and directories, evading detection. Example: \u003ccode\u003eattrib +h C:\\Windows\\Temp\\evil.exe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker may also hide associated log files or other artifacts to further conceal their activities.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising additional systems and escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which may include data theft, ransomware deployment, or espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious files and directories, hindering incident response and forensic investigations. This can lead to prolonged periods of undetected malicious activity, increasing the risk of data breaches, financial loss, and reputational damage. The consequences can range from minor disruptions to significant operational impact, depending on the attacker\u0026rsquo;s objectives and the scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious usage of \u003ccode\u003eattrib.exe\u003c/code\u003e with the \u0026lsquo;+h\u0026rsquo; flag.\u003c/li\u003e\n\u003cli\u003eEnable process-creation logging with command-line arguments on Windows endpoints to ensure the detection rules can be effectively applied (Sysmon Event ID 1 or Windows Event Log Security 4688).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, paying close attention to the parent processes and the context in which \u003ccode\u003eattrib.exe\u003c/code\u003e is being executed.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on critical system directories to detect unauthorized file modifications, including attribute changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-attrib-hide-files/","summary":"Detection of attrib.exe being used with the +h flag to hide files and directories on Windows systems, a technique used by attackers for defense evasion and persistence.","title":"Attrib.exe Used to Hide Files and Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-attrib-hide-files/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["msiexec","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying suspicious behavior where \u003ccode\u003emsiexec.exe\u003c/code\u003e, a legitimate Windows utility for installing, uninstalling, and configuring software, is used to spawn multiple discovery commands. This activity is often associated with attackers attempting to gather system information, enumerate the network, and identify potential targets for lateral movement. The technique is typically observed post-compromise, after initial access has been achieved through other means. This behavior matters to defenders as it is a key indicator of malicious activity and potential privilege escalation or data exfiltration attempts. The detection leverages Endpoint Detection and Response (EDR) data, specifically process creation events, to identify instances where \u003ccode\u003emsiexec.exe\u003c/code\u003e is the parent process of common discovery tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a vulnerability, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003emsiexec.exe\u003c/code\u003e to execute discovery commands.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e spawns processes such as \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003esysteminfo.exe\u003c/code\u003e, or \u003ccode\u003ewmic.exe\u003c/code\u003e to gather network configuration, user information, and system details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses commands within \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to execute the discovery commands. For example, \u003ccode\u003ecmd.exe /c ipconfig /all\u003c/code\u003e or \u003ccode\u003epowershell.exe Get-NetIPConfiguration\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output of these commands to identify valuable information such as domain names, user accounts, and system architecture.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to identify potential targets for lateral movement and privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems using stolen credentials or exploits.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to a comprehensive understanding of the compromised environment. Attackers can leverage gathered information to escalate privileges, move laterally to other systems, and ultimately exfiltrate sensitive data or deploy ransomware. The impact could range from a single compromised workstation to a complete network breach, depending on the scope of the attacker\u0026rsquo;s activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process monitoring and command-line logging on all endpoints to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMSIExec Spawning Discovery Commands\u003c/code\u003e to your SIEM and tune it to your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003emsiexec.exe\u003c/code\u003e spawning multiple discovery commands, as this behavior is unusual in normal system operations.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles to limit the impact of compromised accounts and prevent lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-msiexec-discovery/","summary":"Detection of msiexec.exe spawning discovery commands indicating potential reconnaissance activity by attackers for system information gathering and lateral movement.","title":"MSIExec Spawning Discovery Commands","url":"https://feed.craftedsignal.io/briefs/2024-01-msiexec-discovery/"},{"_cs_actors":["Snake Keylogger"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","stealer","windows"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to browser password stores, a technique commonly employed by credential-stealing malware such as Snake Keylogger. These attackers aim to exfiltrate sensitive information, including stored credentials and browsing history, by accessing browser user data profiles. This activity is detected by monitoring Windows Security Event logs (EventCode 4663) and comparing process access patterns against an expected list of browser applications via the \u003ccode\u003ebrowser_app_list\u003c/code\u003e lookup table. The detection identifies processes that are not recognized as legitimate browser applications but are attempting to access browser user data. This technique has been observed in trojan stealers, where credential access is a key component of their information-gathering strategy. This method allows defenders to quickly pivot and discover potentially malicious processes on the system, such as credential stealers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user downloads and executes a malicious file, often disguised as a legitimate application or document.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes, dropping a stealer component into the system.\u003c/li\u003e\n\u003cli\u003eThe stealer process initiates an attempt to access browser user data profiles.\u003c/li\u003e\n\u003cli\u003eWindows generates a Security Event Log (EventCode 4663) when the stealer attempts to access a browser data file.\u003c/li\u003e\n\u003cli\u003eThe detection analytic identifies processes accessing the browser data folder not present in the \u003ccode\u003ebrowser_app_list\u003c/code\u003e lookup file.\u003c/li\u003e\n\u003cli\u003eThe stealer process reads sensitive information, such as usernames, passwords, and browsing history, from the accessed files.\u003c/li\u003e\n\u003cli\u003eThe collected data is staged for exfiltration, potentially compressed or encrypted.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials and information are exfiltrated to a command-and-control server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the theft of user credentials, potentially granting attackers unauthorized access to sensitive accounts and systems. This can result in data breaches, financial loss, and reputational damage. The Snake Keylogger, for example, is known to target credentials, potentially impacting a wide range of users and organizations. Other stealers like Meduza Stealer, 0bj3ctivity Stealer, and BlankGrabber Stealer also utilize similar techniques, showing the widespread impact. The impact spans across various sectors, as credential theft is a generic attack applicable to almost any environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logging, specifically event code 4663, with auditing enabled for both success and failure events, to capture object access attempts (reference: search description).\u003c/li\u003e\n\u003cli\u003ePopulate and maintain the \u003ccode\u003ebrowser_app_list\u003c/code\u003e lookup table with known and allowed browser processes and their associated paths (reference: search description).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect anomalous processes accessing browser password stores, and tune it for your specific environment (reference: rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to identify potentially compromised systems and user accounts (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-browser-credential-access/","summary":"Detection of non-browser processes accessing browser user data folders, a tactic used by malware such as Snake Keylogger to steal credentials and sensitive information.","title":"Suspicious Process Accessing Browser Password Store","url":"https://feed.craftedsignal.io/briefs/2024-01-browser-credential-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Access Firewall","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["rdp","bruteforce","credential-access","windows","network"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker scans the network to identify systems with open RDP ports (TCP 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.\u003c/li\u003e\n\u003cli\u003eSysmon logs the network connections with Event ID 3.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to attempt connections, typically exceeding 10 attempts within an hour.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains unauthorized access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install malware, move laterally, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure network traffic data is populating the Network_Traffic data model to enable the provided search query.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRDP Bruteforce via Network Traffic\u003c/code\u003e to detect brute force attempts based on network connection patterns.\u003c/li\u003e\n\u003cli\u003eAdjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate source IPs identified by the detection rule as potential attackers.\u003c/li\u003e\n\u003cli\u003eMonitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.\u003c/li\u003e\n\u003cli\u003eReview the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rdp-bruteforce/","summary":"This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.","title":"Windows Remote Desktop Network Bruteforce Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["discovery","windows","netsh","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where the \u003ccode\u003enetsh.exe\u003c/code\u003e utility is used to query firewall configurations on a Windows system. While \u003ccode\u003enetsh.exe\u003c/code\u003e is a legitimate tool for network configuration, adversaries can leverage it to gather information about firewall rules and settings. This information can then be used to plan further attacks, such as bypassing firewall restrictions or identifying vulnerable network services. This activity is typically seen during the reconnaissance phase of an attack. The scope of this detection covers any Windows environment where Endpoint Detection and Response (EDR) logs are available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific commands to enumerate firewall rules and configurations (e.g., \u003ccode\u003enetsh firewall show state\u003c/code\u003e, \u003ccode\u003enetsh firewall show config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e process retrieves the requested firewall information from the Windows operating system.\u003c/li\u003e\n\u003cli\u003eThe collected firewall information is parsed to identify potential weaknesses or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to modify existing firewall rules or create new rules to allow unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified firewall configuration to establish a covert communication channel or to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized network access, data exfiltration, or the deployment of ransomware. The enumeration of firewall configurations can provide attackers with valuable insights into the network\u0026rsquo;s security posture, enabling them to bypass security controls and compromise critical assets. This can result in significant financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Netsh Firewall Discovery\u003c/code\u003e to your SIEM and tune for your environment to detect netsh.exe executions with firewall discovery commands.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to capture the necessary command-line details.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to query firewall settings, especially when initiated from unusual processes or user accounts.\u003c/li\u003e\n\u003cli\u003eMonitor parent-child process relationships to identify suspicious process spawning, as highlighted by the \u003ccode\u003eProcesses.parent_process_name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview firewall configurations regularly to identify and remediate any misconfigurations or overly permissive rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-netsh-firewall-discovery/","summary":"The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.","title":"Windows Netsh Tool Used for Firewall Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-firewall-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","persistence","windows","access-control"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic detects the modification of file and directory security permissions through command-line tools like icacls.exe, cacls.exe, and xcacls.exe. These tools are legitimate Windows utilities but are often abused by threat actors, including APT groups and coinminer scripts, to evade detection, maintain persistence, and hinder incident response. The detection focuses on command-line arguments indicating modifications to access rights (e.g., granting full control or modifying permissions). Detecting this activity is crucial as it can lead to unauthorized access, data exfiltration, and system compromise, ultimately impeding remediation efforts and prolonging the attacker\u0026rsquo;s presence on the compromised system. The detection leverages endpoint detection and response (EDR) data focusing on process execution and command-line analysis.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to obtain necessary permissions for modifying file and directory access rights. This can be achieved through exploiting system vulnerabilities or using stolen credentials with elevated privileges.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys or utilizes existing system tools like \u003ccode\u003eicacls.exe\u003c/code\u003e, \u003ccode\u003ecacls.exe\u003c/code\u003e, or \u003ccode\u003excacls.exe\u003c/code\u003e to modify access control lists (ACLs) on files and directories.\u003c/li\u003e\n\u003cli\u003eAccess Rights Modification: The attacker uses the deployed tools to modify the ACLs of critical system files or directories, potentially granting themselves full control or restricting access for legitimate users and security software. Specific command-line arguments like \u003ccode\u003e*:R*\u003c/code\u003e, \u003ccode\u003e*:W*\u003c/code\u003e, \u003ccode\u003e*:F*\u003c/code\u003e, \u003ccode\u003e*:C*\u003c/code\u003e, \u003ccode\u003e*:N*\u003c/code\u003e, \u003ccode\u003e*/P*\u003c/code\u003e, and \u003ccode\u003e*/E*\u003c/code\u003e are used to manipulate access rights.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: By modifying access rights, the attacker attempts to evade detection by security software and hinders incident response efforts by restricting access to forensic data or security tools.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by modifying the access rights of startup scripts or registry keys, ensuring that their malicious code executes even after system reboots.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the modified access rights to access files and directories on other systems within the network, facilitating lateral movement and further compromise.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their final objective, such as data exfiltration, system disruption, or deploying ransomware, by leveraging the modified access rights to access and manipulate sensitive data or critical system resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to persist on the system, evade detection, and potentially move laterally within the network. Modification of file and directory permissions can hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment. The impact ranges from data theft to complete system compromise and denial of service. This activity is often associated with APT groups and coinminer operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the execution of \u003ccode\u003eicacls.exe\u003c/code\u003e, \u003ccode\u003ecacls.exe\u003c/code\u003e, and \u003ccode\u003excacls.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Icacls Usage\u0026rdquo; to your SIEM to identify instances of access right modifications via icacls.exe, cacls.exe, and xcacls.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where these tools are used to modify access rights, especially when command-line arguments include \u003ccode\u003e*:R*\u003c/code\u003e, \u003ccode\u003e*:W*\u003c/code\u003e, \u003ccode\u003e*:F*\u003c/code\u003e, \u003ccode\u003e*:C*\u003c/code\u003e, \u003ccode\u003e*:N*\u003c/code\u003e, \u003ccode\u003e*/P*\u003c/code\u003e, and \u003ccode\u003e*/E*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security (4688) for process creation events to correlate with Sysmon data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-icacls-access-rights-modification/","summary":"Detection of icacls.exe, cacls.exe, or xcacls.exe being used to modify file or directory permissions, often used by APTs and coinminers for defense evasion and persistence.","title":"Windows Files and Dirs Access Rights Modification via Icacls","url":"https://feed.craftedsignal.io/briefs/2024-01-icacls-access-rights-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Chrome","Splunk Enterprise Security","Splunk Enterprise","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","password-stealing","chrome"],"_cs_type":"advisory","_cs_vendors":["Google","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to the Chrome \u0026lsquo;Local State\u0026rsquo; file, a critical component of the Chrome browser that stores settings and, more importantly, the encrypted master key used to protect saved passwords. The \u0026lsquo;Local State\u0026rsquo; file is typically accessed only by the Chrome browser itself. When other processes attempt to read this file, it\u0026rsquo;s a strong indicator of malicious activity, potentially involving credential theft or reconnaissance by malware such as RedLine Stealer. This analytic leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. Detecting and responding to this activity is crucial for preventing attackers from gaining access to sensitive user credentials stored within the Chrome browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, often through phishing or exploitation of a software vulnerability (not specified in this advisory).\u003c/li\u003e\n\u003cli\u003eMalware is deployed on the victim machine (e.g., RedLine Stealer).\u003c/li\u003e\n\u003cli\u003eThe malware attempts to locate the Chrome \u0026lsquo;Local State\u0026rsquo; file, typically found at \u003ccode\u003e*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware process accesses the \u0026lsquo;Local State\u0026rsquo; file, triggering a Windows Security Event 4663.\u003c/li\u003e\n\u003cli\u003eThe malware extracts the encrypted master key from the \u0026lsquo;Local State\u0026rsquo; file.\u003c/li\u003e\n\u003cli\u003eThe malware decrypts the master key using attacker-controlled methods.\u003c/li\u003e\n\u003cli\u003eThe decrypted master key is used to decrypt saved passwords stored by Chrome.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are exfiltrated to the attacker\u0026rsquo;s command and control server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal user credentials stored in the Chrome browser. This can lead to unauthorized access to email accounts, social media profiles, banking websites, and other sensitive online services. The impact could range from identity theft and financial fraud to corporate espionage and data breaches. The number of potential victims depends on the number of systems compromised and the extent of Chrome usage on those systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both \u0026ldquo;Success\u0026rdquo; and \u0026ldquo;Failure\u0026rdquo; events to ensure Windows Security Event 4663 is generated for file access, as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chrome Local State File Access by Non-Chrome Processes\u0026rdquo; to your SIEM to detect unauthorized access attempts (see \u0026ldquo;rules\u0026rdquo; section). Tune the rule\u0026rsquo;s filter list to reduce false positives related to legitimate software uninstallers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process name and path involved in accessing the \u0026lsquo;Local State\u0026rsquo; file, as described in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eConsider implementing network egress filtering to prevent exfiltration of stolen credentials to known malicious command and control servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-chrome-localstate-access/","summary":"Detection of non-Chrome processes accessing the Chrome 'Local State' file, potentially leading to extraction of the master key used for decrypting saved passwords.","title":"Unauthorized Access to Chrome Local State File","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-localstate-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the tactic of executing processes from suspicious file paths within Windows environments, a common technique used by adversaries to bypass security controls and execute malicious code without requiring elevated privileges. This activity is often observed in post-exploitation scenarios, where attackers have already gained initial access and are attempting to establish persistence or escalate their privileges. Attackers often leverage these unconventional locations to avoid detection by traditional security solutions that rely on whitelisting or reputation-based analysis. The detection focuses on identifying processes running from paths like \u003ccode\u003e\\Windows\\Fonts\\\u003c/code\u003e, \u003ccode\u003e\\Users\\Public\\\u003c/code\u003e, \u003ccode\u003e\\Windows\\Debug\\\u003c/code\u003e, and others, as these are not typically associated with legitimate software execution. This technique has been associated with malware families like AsyncRAT, RedLine Stealer, and LockBit Ransomware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through phishing, exploitation of a vulnerability, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a malicious executable or script (e.g., PowerShell script) in a suspicious directory such as \u003ccode\u003eC:\\Windows\\Fonts\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a dropper or loader to execute the malicious file. This can be achieved through various methods, including command-line execution or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malicious process begins execution from the unusual file path.\u003c/li\u003e\n\u003cli\u003eThe process performs malicious activities, such as downloading additional payloads, establishing command and control (C2) communication, or conducting reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised process to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003cli\u003eData exfiltration or encryption may occur, depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys to ensure the malicious process restarts upon system reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of malicious code from unusual file paths can lead to a variety of negative impacts, including system compromise, data theft, and ransomware infection. Organizations may experience data breaches, financial losses, and reputational damage. The references indicate this technique is associated with various malware families, including information stealers, remote access trojans (RATs), and ransomware, affecting numerous organizations across different sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging (Event ID 4688 or Sysmon Event ID 1) to capture process execution events, including the process path, command line, and parent process information to enable the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Executing from Common Non-Executable Paths\u0026rdquo; to your SIEM to detect processes running from unusual file paths. Tune the rule to filter out any legitimate exceptions in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the process name, command line, and parent process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized software in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from processes running from unusual file paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-suspicious-process-path/","summary":"Attackers may execute malicious code from unusual file paths such as Windows fonts or debug directories to evade defenses and gain unauthorized access, as detected by endpoint detection and response (EDR) agents.","title":"Suspicious Process Execution from Unusual File Paths","url":"https://feed.craftedsignal.io/briefs/2024-01-03-suspicious-process-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["schtasks","scheduled-task","persistence","execution"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic detects the execution of Windows Scheduled Tasks on demand using the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility. The detection focuses on identifying \u003ccode\u003eschtasks.exe\u003c/code\u003e being executed with the \u003ccode\u003erun\u003c/code\u003e command, which is often used by adversaries to force the execution of previously created scheduled tasks. This activity is significant because attackers frequently leverage scheduled tasks for persistent access, privilege escalation, or lateral movement within a compromised network. Detecting this behavior can help defenders identify and respond to malicious activity before it leads to further compromise. The technique has been associated with various threat actors and malware families including Qakbot, XMRig, and Medusa Ransomware as well as campaigns such as CISA AA22-257A and Industroyer2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., exploiting a vulnerability, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a new scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003erun\u003c/code\u003e command to trigger the malicious scheduled task on demand.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a malicious payload, such as a script or executable.\u003c/li\u003e\n\u003cli\u003eThe payload may perform various malicious actions, such as downloading additional malware, escalating privileges, or gathering sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network by creating and running scheduled tasks remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to disable security controls or evade detection by modifying existing scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access, lateral movement, and privilege escalation within the compromised environment. Attackers can use this technique to maintain a foothold on the system, spread malware to other systems on the network, and ultimately achieve their objectives, such as data theft, ransomware deployment, or disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the execution of \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003erun\u003c/code\u003e command, tuning it to exclude known legitimate uses.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eschtasks.exe\u003c/code\u003e execution with the \u003ccode\u003erun\u003c/code\u003e command to determine if they are malicious.\u003c/li\u003e\n\u003cli\u003eMonitor process execution data for unusual or unexpected processes being launched by scheduled tasks.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly review and audit scheduled tasks to prevent unauthorized modifications or creations.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to capture detailed information about process executions, including command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-schtasks-on-demand/","summary":"Detection of on-demand execution of Windows Scheduled Tasks via the schtasks.exe command-line utility, a common technique for persistence and lateral movement.","title":"Schtasks Run Task On Demand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-schtasks-on-demand/"},{"_cs_actors":["Remcos","njRAT"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["lolbin","dll-loading","regsvr32"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of \u003ccode\u003eregsvr32.exe\u003c/code\u003e, a legitimate Microsoft Windows utility, to load and execute malicious DLLs. Attackers, including those using Remote Access Trojans (RATs) like Remcos and njRAT, leverage \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e/s\u003c/code\u003e (silent) parameter and the \u003ccode\u003eDLLInstall\u003c/code\u003e function call. The activity is observed by analyzing process command-line arguments and parent process details from Endpoint Detection and Response (EDR) agents. This technique allows attackers to bypass application whitelisting and execute arbitrary code, maintain persistence, and compromise the system further. The detection described was published in splunk-escu on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unknown vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious DLL on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e/s\u003c/code\u003e (silent) parameter and the \u003ccode\u003eDLLInstall\u003c/code\u003e function, for example: \u003ccode\u003eregsvr32.exe /s /i:DLLInstall \u0026lt;malicious_dll_path\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRegsvr32.exe\u003c/code\u003e loads the specified DLL.\u003c/li\u003e\n\u003cli\u003eThe DLLInstall function within the DLL executes, performing malicious actions. This could involve installing services, modifying registry keys, or injecting code into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through registry modifications or scheduled tasks created by the DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the system, potentially installing additional malware or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to execute arbitrary code, bypass application whitelisting, and establish persistence on compromised systems. This can lead to data theft, system disruption, or ransomware deployment. The affected systems can be remotely controlled by the attacker, enabling further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegsvr32 Silent and Install Param Dll Loading\u003c/code\u003e to detect instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e being used with the \u003ccode\u003e/s\u003c/code\u003e and \u003ccode\u003e/i\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to capture the necessary process and command-line information.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e execution with the silent and DLLInstall parameters, paying close attention to the parent process and the DLL being loaded.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003eregsvr32.exe\u003c/code\u003e or other LOLBins from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-regsvr32-dll-loading/","summary":"Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.","title":"Regsvr32 Silent and Install Parameter DLL Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-03-regsvr32-dll-loading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Firewall Threat Defense","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Secure Access Firewall"],"_cs_severities":["high"],"_cs_tags":["network","smb","lateral-movement","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker\u0026rsquo;s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to \u0026ldquo;Hidden Cobra Malware\u0026rdquo;, \u0026ldquo;DHS Report TA18-074A\u0026rdquo;, and \u0026ldquo;NOBELIUM Group\u0026rdquo;, suggesting possible connections to these threat actors or campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn internal host is compromised through an initial access vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate network resources accessible from the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages SMB to connect to external servers, typically on ports 139 or 445.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate or negotiate with the external server.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to exploit vulnerabilities in the SMB protocol or server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures or relays credential hashes transmitted over the SMB connection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn\u0026rsquo;t specified, the detection\u0026rsquo;s relevance to known threat actors suggests potentially widespread impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOutbound SMB Traffic Detected\u003c/code\u003e to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference \u003ccode\u003edetect_outbound_smb_traffic_filter\u003c/code\u003e macro in the original search).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict internal hosts from directly accessing external SMB services.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eCategorize internal CIDR blocks as \u003ccode\u003einternal\u003c/code\u003e in your asset management system to reduce false positives (reference \u0026ldquo;known_false_positives\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eConsider blocking external communications of all SMB versions and related protocols at the network boundary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-outbound-smb/","summary":"This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.","title":"Outbound SMB Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Chrome","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","password-stealing","windows"],"_cs_type":"advisory","_cs_vendors":["Google","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to Chrome\u0026rsquo;s \u0026ldquo;Login Data\u0026rdquo; file, a local SQLite database that stores user credentials. Attackers, after gaining initial access to a Windows system, may attempt to steal these credentials by directly accessing and parsing this file. The \u0026ldquo;Login Data\u0026rdquo; file contains sensitive information, including usernames, passwords, and URLs. The technique is commonly associated with credential-stealing malware families like RedLine Stealer, DarkGate, and others listed below. Successful exploitation allows attackers to harvest credentials for lateral movement and further compromise. This detection is based on Windows Security Event logs, specifically event ID 4663, which records attempts to access objects like files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious executable or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to access the Chrome \u0026ldquo;Login Data\u0026rdquo; file, typically located at \u003ccode\u003e*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWindows Security Event Log generates an event with EventCode 4663, recording the file access attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s process reads the \u0026ldquo;Login Data\u0026rdquo; SQLite database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts and potentially decrypts stored usernames and passwords from the \u0026ldquo;Login Data\u0026rdquo; file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Chrome \u0026ldquo;Login Data\u0026rdquo; files can lead to widespread credential theft, granting attackers unauthorized access to numerous online accounts. Depending on the user\u0026rsquo;s browsing habits and password reuse, this can include access to sensitive corporate resources, financial accounts, and personal email. The impact can range from financial loss to significant data breaches and reputational damage. The references section in the original source mentions Redline Stealer which is used in various attacks, indicating a potentially large number of victims across different sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both \u0026ldquo;Success\u0026rdquo; and \u0026ldquo;Failure\u0026rdquo; events to generate Windows Security Event 4663, as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eChrome Login Data Accessed by Non-Browser Process\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eprocess_path\u003c/code\u003e filter to exclude legitimate software in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eChrome Login Data Accessed by Non-Browser Process\u003c/code\u003e Sigma rule to determine if credential theft has occurred and remediate any affected accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-chrome-login-data-access/","summary":"This analytic identifies non-Chrome processes accessing the Chrome user data file 'login data', which is an SQLite database containing sensitive information like saved passwords, potentially leading to credential theft.","title":"Non-Chrome Process Accessing Chrome Login Data","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-login-data-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["telegram","command-and-control","dns","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis alert identifies systems querying the Telegram API domain (api.telegram.org) using processes other than the legitimate Telegram application. Threat actors frequently leverage Telegram bots for C2, due to their ease of use, encryption, and widespread availability. Malware can use these bots to receive commands, exfiltrate data, or perform other malicious activities. Detecting DNS queries for Telegram\u0026rsquo;s API from unexpected processes can uncover compromised systems or unauthorized use of Telegram for covert communication. The detection focuses on non-standard Telegram clients resolving the api.telegram.org domain to filter out legitimate Telegram application traffic and focus on suspicious processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user inadvertently downloads and executes a malicious payload (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system (e.g., via registry keys or scheduled tasks).\u003c/li\u003e\n\u003cli\u003eThe malware initiates a DNS query to resolve api.telegram.org to identify the Telegram API server IP address.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a communication channel with a Telegram bot controlled by the attacker using the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker sends commands to the bot, which are relayed to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malware executes the received commands, potentially including data exfiltration or further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates sensitive data to the attacker via the Telegram bot.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system via the Telegram bot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be remotely controlled by attackers, leading to data theft, system disruption, or further propagation of malware within the network. The use of Telegram bots enables covert communication, making it difficult to detect malicious activity using traditional methods. Multiple threat actors employ Telegram-based C2, including those associated with information stealers, keyloggers, and crypto-mining malware. A successful attack can lead to significant data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Telegram DNS Queries\u003c/code\u003e to your SIEM to identify processes making DNS queries to the Telegram API (api.telegram.org) other than the legitimate Telegram application.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution history, network connections, and related system activity.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003eapi.telegram.org\u003c/code\u003e at the DNS resolver or firewall to prevent compromised systems from communicating with Telegram bots, unless legitimate business use requires it.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events on endpoints.\u003c/li\u003e\n\u003cli\u003eUpdate Sysmon to at least version 6.0.4 to ensure comprehensive DNS event logging.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-telegram-dns-query/","summary":"Detection of a process making DNS queries to the Telegram API domain, which is indicative of malware utilizing Telegram bots for command and control (C2) communications.","title":"Suspicious DNS Queries to Telegram API by Non-Telegram Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-03-telegram-dns-query/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","environment-variable","invoke-expression","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PowerShell to execute malicious code embedded within environment variables. This method involves storing commands or encoded content in environment variables and then using \u003ccode\u003eInvoke-Expression\u003c/code\u003e (or its alias \u003ccode\u003eiex\u003c/code\u003e) to dynamically construct and execute code at runtime. This tactic is employed to evade traditional static analysis techniques and conceal the true intent of the executed code. Observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign, this technique is a significant threat. Defenders should be aware of this trend and implement appropriate detection mechanisms. The focus is on identifying PowerShell scripts that combine environment variable access (\u003ccode\u003e$env:\u003c/code\u003e) with \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases, based on PowerShell Script Block Logging (Event ID 4104).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked, either directly or indirectly, via a script or another process.\u003c/li\u003e\n\u003cli\u003eThe attacker sets an environment variable containing malicious code or a command. This might involve using \u003ccode\u003e[Environment]::SetEnvironmentVariable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed that reads the content of the environment variable using \u003ccode\u003e$env:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe content read from the environment variable is passed to \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its alias \u003ccode\u003eiex\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eInvoke-Expression\u003c/code\u003e dynamically executes the code, effectively bypassing static analysis.\u003c/li\u003e\n\u003cli\u003eThe executed code downloads and executes a secondary payload, such as a keylogger or a remote access tool.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing credentials or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the compromised system, allowing attackers to install malware, steal sensitive data, or establish a persistent foothold. The VIP Keylogger campaign, for example, demonstrates how this technique can be used to harvest user credentials. Due to the obfuscated nature of this attack, it is difficult to detect and remediate, often leading to extended dwell time for the attacker. Compromised systems can be further used as a launchpad for attacks against other systems within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) on all Windows systems to capture the de-obfuscated script blocks before execution.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts that access environment variables and use \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases. Tune these rules to your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine if malicious activity is occurring.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious environment variable access and dynamic code execution.\u003c/li\u003e\n\u003cli\u003eImplement application control to prevent the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to limit the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-powershell-env-var-execution/","summary":"Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.","title":"PowerShell Execution via Environment Variables","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-env-var-execution/"},{"_cs_actors":["FIN7","Carbon Spider","Sangria Tempest"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","threat-type","windows"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis alert detects non-Chrome processes accessing the Chrome user data directory, a common tactic used by malware and threat actors to steal sensitive information. This activity is detected using Windows Security Event logs, specifically event ID 4663. The Chrome default folder contains sensitive user data, including login credentials, browsing history, and cookies. This makes it a prime target for attackers aiming to harvest credentials or gain access to user accounts. The detection is designed to identify unauthorized access attempts by processes not typically associated with Chrome. This behavior is often linked to Remote Access Trojans (RATs), trojans, and advanced persistent threats (APTs) like FIN7, known for their focus on financial theft and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eMalware gains initial access to the system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe malware identifies the location of the Chrome user data directory.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to access files within the Chrome user data directory, triggering Windows Security Event 4663.\u003c/li\u003e\n\u003cli\u003eThe malware copies or exfiltrates sensitive data from the Chrome directory, such as login credentials and cookies.\u003c/li\u003e\n\u003cli\u003eThe malware may use stolen credentials to access other systems or services.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised accounts to perform unauthorized actions or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in the theft of sensitive user data, including login credentials, browsing history, and cookies. This data can be used to compromise user accounts, steal financial information, or gain unauthorized access to other systems and services. Multiple analytic stories relate this behavior to credential stealers, RATs, and APTs. Victims may experience financial losses, identity theft, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both success and failure events as described in the \u0026ldquo;how_to_implement\u0026rdquo; section to ensure Event ID 4663 is captured.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNon Chrome Process Accessing Chrome Default Dir\u003c/code\u003e to your SIEM to detect unauthorized access attempts to Chrome user data directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the \u003ccode\u003eProcessName\u003c/code\u003e and \u003ccode\u003eObjectName\u003c/code\u003e to understand the context of the access as noted in the search query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-chrome-default-dir-access/","summary":"Detection of non-Chrome processes accessing the Chrome user data directory, potentially indicating credential theft or data exfiltration attempts by malware such as RATs or APT groups.","title":"Non-Chrome Process Accessing Chrome Default Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chrome-default-dir-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["persistence","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the malicious modification of the \u003ccode\u003eUserInitMprLogonScript\u003c/code\u003e registry entry, a tactic frequently employed by attackers to achieve persistence and escalate privileges on compromised systems. This technique involves altering the registry to ensure that malicious payloads are automatically executed each time the system boots, enabling attackers to maintain persistent access and potentially gain elevated privileges. The original Splunk analytic was published on 2026-04-29 and leverages the Endpoint.Registry data model, making it crucial to have adequate data ingestion from systems monitoring registry events. This technique is attractive to both APT groups and malware operators because it provides a reliable mechanism to automatically execute code within a targeted environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as exploiting vulnerabilities or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain sufficient access to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eUserInitMprLogonScript\u003c/code\u003e registry key under \u003ccode\u003eHKCU\u003c/code\u003e or \u003ccode\u003eHKLM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eregistry_value_data\u003c/code\u003e is changed to point to a malicious script or executable.\u003c/li\u003e\n\u003cli\u003eThe system is rebooted, or a user logs in.\u003c/li\u003e\n\u003cli\u003eThe operating system executes the script or executable specified in the modified \u003ccode\u003eUserInitMprLogonScript\u003c/code\u003e registry entry.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, allowing the attacker to establish persistence, install malware, or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent access to the compromised system. This can lead to data exfiltration, further compromise of the network, or the deployment of ransomware. The modification of the \u003ccode\u003eUserInitMprLogonScript\u003c/code\u003e registry entry can be used to execute malicious code every time a user logs in, making it difficult to eradicate the attacker\u0026rsquo;s presence without proper detection and remediation. This technique enables adversaries to maintain long-term control over the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 (registry events) with appropriate filtering to monitor changes to the \u003ccode\u003eUserInitMprLogonScript\u003c/code\u003e registry key (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLogon Script Registry Modification\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any modifications to the \u003ccode\u003eUserInitMprLogonScript\u003c/code\u003e registry key for unexpected executables or scripts.\u003c/li\u003e\n\u003cli\u003eCorrelate suspicious registry modifications with other endpoint activity, such as network connections or process creation, to identify potential malicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-logon-script-registry-modification/","summary":"This brief details the detection of UserInitMprLogonScript registry entry modifications, a technique employed by threat actors for persistence and privilege escalation by ensuring payloads execute automatically at system startup.","title":"Logon Script Registry Modification for Persistence and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-logon-script-registry-modification/"},{"_cs_actors":["Braodo Stealer"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["stealc-stealer","crypto-stealer","braodo-stealer","apt37","hellcat-ransomware","vip-keylogger","screen-capture","malware"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThe Braodo stealer malware is known for capturing screenshots of a victim\u0026rsquo;s desktop as part of its data theft activities. This malware, often distributed through malicious campaigns, targets sensitive information by creating image files of the user\u0026rsquo;s active screen. These screenshots are typically saved in directories that are easily accessible and commonly used by malware, such as temporary folders. This technique allows attackers to gather credentials, financial information, or other confidential data displayed on the screen. The stealer has been observed in campaigns originating from Vietnam, targeting users in the United States with malware, fraud, and dropshipping schemes. Detecting and responding to these types of screen capture attempts is crucial for preventing sensitive data from being compromised and exfiltrated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user unknowingly downloads and executes a malicious file, potentially delivered through a phishing email or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe Braodo stealer malware is executed on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe malware begins capturing screenshots of the victim\u0026rsquo;s desktop using Windows APIs.\u003c/li\u003e\n\u003cli\u003eThe screenshots are saved as .png, .jpg, or .bmp files.\u003c/li\u003e\n\u003cli\u003eThe files are saved in the user\u0026rsquo;s TEMP directory (e.g., C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\).\u003c/li\u003e\n\u003cli\u003eThe malware may compress or encrypt the captured screenshots.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates the captured data to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information displayed on the victim\u0026rsquo;s screen, such as credentials or financial data, and uses it for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the theft of sensitive information, including credentials, financial data, and personally identifiable information (PII). This can result in financial loss, identity theft, and reputational damage for the victim. The Braodo stealer has been observed targeting users in the United States, indicating a broad scope of potential victims. The malware\u0026rsquo;s ability to capture screenshots allows attackers to bypass multi-factor authentication and other security measures that rely on information displayed on the screen.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (FileCreate) logging to monitor file creation events on endpoints (required for the Sigma rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Screen Capture Files Created in TEMP Directory\u003c/code\u003e to identify potential screen capture activity in temporary directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes creating image files in the TEMP directory.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint security policies to prevent the execution of malware from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections from processes creating screen capture files (T1071).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-braodo-screen-capture/","summary":"This analytic detects the creation of screen capture files in the TEMP directory, specifically targeting activity associated with the Braodo stealer malware, which captures screenshots of the victim's desktop as part of its data theft activities.","title":"Braodo Stealer Screen Capture in TEMP Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-03-braodo-screen-capture/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","wmi","reconnaissance","lateral_movement","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on detecting reconnaissance activities performed through PowerShell using WMI queries. Adversaries often use WMI to gather detailed information about a compromised system, including hardware specifications, operating system details, and installed software. This information can be used to plan further attacks, such as privilege escalation or lateral movement. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify specific WMI queries that target system information classes like \u003ccode\u003eWin32_Bios\u003c/code\u003e, \u003ccode\u003eWin32_OperatingSystem\u003c/code\u003e, \u003ccode\u003eWin32_Processor\u003c/code\u003e and others. Identifying this behavior early can help defenders disrupt attack chains before significant damage occurs. The analytic is based on the detection logic from the Splunk Security Content project as of April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or via a command-line interpreter like \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses the \u003ccode\u003eGet-WmiObject\u003c/code\u003e cmdlet or a direct WMI query with \u003ccode\u003eSELECT\u003c/code\u003e to query system information.\u003c/li\u003e\n\u003cli\u003eSpecific WMI classes are targeted, including \u003ccode\u003eWin32_Bios\u003c/code\u003e, \u003ccode\u003eWin32_OperatingSystem\u003c/code\u003e, \u003ccode\u003eWin32_Processor\u003c/code\u003e, \u003ccode\u003eWin32_ComputerSystem\u003c/code\u003e, \u003ccode\u003eWin32_PnPEntity\u003c/code\u003e, \u003ccode\u003eWin32_ShadowCopy\u003c/code\u003e, \u003ccode\u003eWin32_DiskDrive\u003c/code\u003e, \u003ccode\u003eWin32_PhysicalMemory\u003c/code\u003e, \u003ccode\u003eWin32_BaseBoard\u003c/code\u003e, and \u003ccode\u003eWin32_DisplayConfiguration\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script collects the data returned by the WMI queries.\u003c/li\u003e\n\u003cli\u003eThe gathered information is used to profile the system and identify potential vulnerabilities or weaknesses.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to plan subsequent stages of the attack, like lateral movement or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes further commands based on the gathered information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance can provide attackers with a comprehensive understanding of the target environment, enabling them to tailor their attacks for maximum impact. This can lead to successful privilege escalation, lateral movement, data exfiltration, or ransomware deployment. Organizations that fail to detect and prevent reconnaissance activities are at a higher risk of experiencing significant data breaches and financial losses. The Maze ransomware group, Industroyer2, and LockBit ransomware have been observed using similar reconnaissance techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to capture the necessary data for detection (\u003ca href=\"https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.\"\u003ePowerShell Script Block Logging 4104\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMI Reconnaissance via PowerShell\u003c/code\u003e to identify PowerShell scripts querying sensitive WMI classes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user and process context to determine potential malicious intent.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003eRecon Using WMI Class\u003c/code\u003e detection filter (\u003ccode\u003erecon_using_wmi_class_filter\u003c/code\u003e) to reduce false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-wmi-reconnaissance/","summary":"Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.","title":"Suspicious PowerShell Reconnaissance via WMI Queries","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-reconnaissance/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Cisco Secure Access Firewall","Palo Alto Network Traffic"],"_cs_severities":["medium"],"_cs_tags":["network-traffic","command-and-control","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Splunk","Cisco","Palo Alto"],"content_html":"\u003cp\u003eThis detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a host within the network.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates ICMP traffic to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.\u003c/li\u003e\n\u003cli\u003eThe compromised host uses ICMP for command and control, receiving instructions from the external attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Large ICMP Traffic\u003c/code\u003e to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eDetect Large ICMP Traffic\u003c/code\u003e rule, focusing on the source and destination IPs involved.\u003c/li\u003e\n\u003cli\u003eExamine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.\u003c/li\u003e\n\u003cli\u003eUtilize the provided search \u003ccode\u003eView the detection results\u003c/code\u003e to review related events and potential lateral movement.\u003c/li\u003e\n\u003cli\u003eImplement the provided search \u003ccode\u003eView risk events\u003c/code\u003e to look at risk factors for the involved assets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-large-icmp-traffic/","summary":"This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.","title":"Large ICMP Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-large-icmp-traffic/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","IIS"],"_cs_severities":["high"],"_cs_tags":["iis","logging","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies the use of \u003ccode\u003eAppCmd.exe\u003c/code\u003e to disable HTTP logging on Internet Information Services (IIS) servers. The technique is significant as adversaries can use it to erase traces of their malicious activities. The detection focuses on process execution events logged by Endpoint Detection and Response (EDR) agents. By disabling HTTP logging, attackers can operate undetected, making it difficult to trace their actions and respond effectively to intrusions. The references indicate this technique has been observed in campaigns attributed to threat actors like OilRig, where IIS backdoors are used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system via exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker gains a foothold on the IIS server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eappcmd.exe\u003c/code\u003e to modify IIS settings.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eappcmd.exe\u003c/code\u003e is executed with parameters to disable HTTP logging, such as \u003ccode\u003ehttplogging\u003c/code\u003e or \u003ccode\u003edontlog:true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command modifies the IIS configuration, preventing HTTP request logs from being recorded.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions on the compromised server (e.g., web shell deployment, data theft).\u003c/li\u003e\n\u003cli\u003eWith HTTP logging disabled, the attacker\u0026rsquo;s activities are not recorded in standard IIS logs, hindering forensic analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and continues to exploit the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to a significant reduction in visibility into attacker activities on IIS servers. The lack of HTTP logs hinders incident response efforts, making it difficult to identify the scope and nature of the compromise. This could lead to prolonged attacker presence, further data exfiltration, or deployment of malicious software. This technique is a common step to evade defenses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect IIS HTTP Logging Disabled via AppCmd.exe\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture command-line arguments of \u003ccode\u003eappcmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003eappcmd.exe\u003c/code\u003e with command-line arguments related to \u003ccode\u003ehttplogging\u003c/code\u003e or \u003ccode\u003edontlog:true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eappcmd.exe\u003c/code\u003e being executed by non-administrator accounts or unusual parent processes.\u003c/li\u003e\n\u003cli\u003eReview IIS configuration regularly for any unauthorized changes to HTTP logging settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-01T00:00:00Z","date_published":"2024-01-01T00:00:00Z","id":"/briefs/2024-01-disable-iis-logging/","summary":"This analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers, allowing adversaries to evade detection by removing evidence of their actions.","title":"Detection of IIS HTTP Logging Disabled via AppCmd.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-iis-logging/"}],"language":"en","title":"CraftedSignal Threat Feed — Splunk Cloud","version":"https://jsonfeed.org/version/1.1"}