{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/symantec-endpoint-protection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Endpoint Defense","Windows Defender Advanced Threat Protection","Symantec Endpoint Protection","Endpoint Security","AVDefender","Optics","Padvish AV"],"_cs_severities":["high"],"_cs_tags":["credential-access","regback","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Sophos","Microsoft","Trend Micro","Symantec","Bitdefender","N-able Technologies","Cylance","McAfee","Padvish"],"content_html":"\u003cp\u003eThis detection identifies suspicious attempts to access registry backup hives (SAM, SECURITY, and SYSTEM) located in the \u003ccode\u003eRegBack\u003c/code\u003e folder on Windows systems. These hives contain sensitive credential material, making them attractive targets for attackers seeking to compromise system security. The detection logic focuses on file access events, specifically successful file opens, while excluding known benign processes such as \u003ccode\u003etaskhostw.exe\u003c/code\u003e and various AV/EDR solutions (SophosScanCoordinator.exe, MsSense.exe, ccSvcHst.exe, etc.) to minimize false positives. The rule is designed to provide defenders with high-fidelity alerts when unauthorized access to these critical registry hives is detected. The scope includes any Windows system where endpoint file access logging is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, or \u003ccode\u003eSYSTEM\u003c/code\u003e registry hives located in the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a tool or script to open one or more of these registry hives. This could involve using built-in Windows utilities, scripting languages, or custom-developed tools.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully opens the \u003ccode\u003eSAM\u003c/code\u003e and \u003ccode\u003eSYSTEM\u003c/code\u003e hives, they can extract user account credentials, including usernames, password hashes, and other sensitive information. The \u003ccode\u003eSECURITY\u003c/code\u003e hive is also useful.\u003c/li\u003e\n\u003cli\u003eThe attacker may stage the registry hive files by copying them to a different location on the system for further analysis or exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools (e.g., Mimikatz, secretsdump.py) or custom scripts to extract credentials from the staged registry hives.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the extracted credentials to escalate privileges, move laterally within the network, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to gain unauthorized access to critical systems, steal sensitive data, or establish long-term persistence within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to the compromise of user account credentials, enabling attackers to escalate privileges, move laterally within the network, and gain unauthorized access to sensitive data. The impact can range from data breaches and financial losses to reputational damage and disruption of critical business operations. The number of victims can vary depending on the scope of the attacker\u0026rsquo;s activities and the security posture of the targeted organization. Sectors commonly targeted include finance, healthcare, government, and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable file access monitoring for the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory to capture file open events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Hive Access via RegBack\u003c/code\u003e to your SIEM and tune the exclusions based on your environment.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e events for unusual processes accessing files in \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e, using the rule \u003ccode\u003eSuspicious Process Accessing RegBack Hives\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging and file creation to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-02T12:00:00Z","date_published":"2024-07-02T12:00:00Z","id":"/briefs/2024-07-regback-hive-access/","summary":"This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.","title":"Suspicious Registry Hive Access via RegBack","url":"https://feed.craftedsignal.io/briefs/2024-07-regback-hive-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EdgeWebView","Acrobat DC","AMP","Symantec Endpoint Protection","Malwarebytes Anti-Exploit"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Adobe","Symantec","Malwarebytes"],"content_html":"\u003cp\u003eThis detection identifies suspicious process access events on Windows systems where a process attempts to access another process\u0026rsquo;s memory via direct system calls, bypassing standard Windows API calls. Endpoint security solutions often hook userland Windows APIs to detect malicious code execution. Attackers can evade these hooks by directly invoking syscalls, which are lower-level instructions that interact directly with the operating system kernel. The rule specifically looks for process access events (Sysmon Event ID 10) where the call trace does not originate from known Windows system DLLs like ntdll.dll, indicating a potential attempt to bypass security measures. The rule excludes certain legitimate applications, such as Malwarebytes Anti-Exploit, Cisco AMP, Microsoft EdgeWebView, and Adobe Acrobat DC, to reduce false positives. This technique is often employed by advanced malware and red teams to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious process is executed on the system, either through user interaction or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe process attempts to gain access to another process\u0026rsquo;s memory space (Target Process).\u003c/li\u003e\n\u003cli\u003eInstead of using standard Windows API calls, the malicious process directly invokes system calls (syscalls) to access the target process\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCallTrace\u003c/code\u003e in the Sysmon event does not originate from expected system DLLs like \u003ccode\u003entdll.dll\u003c/code\u003e, \u003ccode\u003esysfer.dll\u003c/code\u003e, \u003ccode\u003ewow64cpu.dll\u003c/code\u003e, \u003ccode\u003ewow64win.dll\u003c/code\u003e, or \u003ccode\u003ewin32u.dll\u003c/code\u003e, indicating a direct syscall.\u003c/li\u003e\n\u003cli\u003eThe process might attempt to read sensitive information such as credentials, inject malicious code, or manipulate the target process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe malicious process performs actions within the context of the target process, such as executing injected code or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised process to achieve their objectives, such as data exfiltration, lateral movement, or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker cleans up any traces of their activity and attempts to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data, the injection of malicious code into legitimate processes, and the complete takeover of the affected system. This can result in data breaches, financial loss, and reputational damage. The impact is especially significant if the target process holds sensitive credentials, browser secrets, or has security-product context.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access logging (Event ID 10) with call tracing and ingest the logs into your SIEM to activate the rules above (\u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003ehttps://ela.st/sysmon-event-10-setup\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect direct syscall process access.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the \u003ccode\u003eSourceImage\u003c/code\u003e, \u003ccode\u003eTargetImage\u003c/code\u003e, \u003ccode\u003eGrantedAccess\u003c/code\u003e, and \u003ccode\u003eCallTrace\u003c/code\u003e fields in the Sysmon event to determine the legitimacy of the process access attempt.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of alerts where the target process is \u003ccode\u003elsass.exe\u003c/code\u003e or other security-sensitive processes.\u003c/li\u003e\n\u003cli\u003eImplement robust endpoint detection and response (EDR) solutions to detect and prevent malicious activity on endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creation events originating from the flagged processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-direct-syscall-process-access/","summary":"Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.","title":"Suspicious Process Access via Direct System Call","url":"https://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Symantec Endpoint Protection","version":"https://jsonfeed.org/version/1.1"}