{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/sysmon-event-id-11---file-create/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Elastic Endgame","Sysmon Event ID 11 - File Create"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","managed code","lolbin"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies suspicious managed code hosting processes on Windows systems. Attackers may leverage processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003esvchost.exe\u003c/code\u003e, \u003ccode\u003edllhost.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, and \u003ccode\u003eregsvr32.exe\u003c/code\u003e to execute malicious code, often bypassing traditional security controls. These processes can be abused to load and execute .NET assemblies or other managed code components. The detection focuses on identifying unusual file creation events associated with these processes which could indicate an attacker is attempting to leverage these processes for malicious purposes. This activity might be indicative of code injection, defense evasion, or other suspicious code execution techniques. The rule uses EQL to search for file events associated with specific processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a phishing email or compromised software.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a LOLBin such as \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to bypass application control.\u003c/li\u003e\n\u003cli\u003eThe LOLBin executes a malicious script or loads a malicious DLL from a user-writable location.\u003c/li\u003e\n\u003cli\u003eThe malicious script or DLL performs reconnaissance activities, such as gathering system information or enumerating network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker then attempts to escalate privileges by exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised process to download and execute additional malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system through scheduled tasks or registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network, compromising additional systems and exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal sensitive data, and establish persistence. The use of LOLBins can bypass application control, making detection more challenging. Depending on the scope of the attack, this could result in significant financial losses, reputational damage, and disruption of business operations. This is a high-severity finding due to the potential for attackers to gain full control over affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to collect the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Managed Code Hosting Process\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the file paths, process command lines, and parent processes involved.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected file creation events associated with processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e in user-writable directories.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of LOLBins and other potentially malicious processes.\u003c/li\u003e\n\u003cli\u003eCorrelate the detection with other security events to identify related malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-suspicious-managedcode-hosting/","summary":"This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.","title":"Suspicious Managed Code Hosting Process","url":"https://feed.craftedsignal.io/briefs/2024-01-29-suspicious-managedcode-hosting/"}],"language":"en","title":"CraftedSignal Threat Feed — Sysmon Event ID 11 - File Create","version":"https://jsonfeed.org/version/1.1"}