Sysmon Event ID 11 - File Create — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/sysmon-event-id-11---file-create/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 29 Jan 2024 12:00:00 +0000Suspicious Managed Code Hosting Processhttps://feed.craftedsignal.io/briefs/2024-01-29-suspicious-managedcode-hosting/Mon, 29 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-29-suspicious-managedcode-hosting/This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.This detection identifies suspicious managed code hosting processes on Windows systems. Attackers may leverage processes like wscript.exe, cscript.exe, mshta.exe, wmic.exe, svchost.exe, dllhost.exe, cmstp.exe, and regsvr32.exe to execute malicious code, often bypassing traditional security controls. These processes can be abused to load and execute .NET assemblies or other managed code components. The detection focuses on identifying unusual file creation events associated with these processes which could indicate an attacker is attempting to leverage these processes for malicious purposes. This activity might be indicative of code injection, defense evasion, or other suspicious code execution techniques. The rule uses EQL to search for file events associated with specific processes.

Attack Chain

  1. An attacker gains initial access to the system through a phishing email or compromised software.
  2. The attacker uses a LOLBin such as mshta.exe or regsvr32.exe to bypass application control.
  3. The LOLBin executes a malicious script or loads a malicious DLL from a user-writable location.
  4. The malicious script or DLL performs reconnaissance activities, such as gathering system information or enumerating network resources.
  5. The attacker then attempts to escalate privileges by exploiting a vulnerability or using stolen credentials.
  6. The attacker uses the compromised process to download and execute additional malware.
  7. The malware establishes persistence on the system through scheduled tasks or registry modifications.
  8. The attacker performs lateral movement within the network, compromising additional systems and exfiltrating sensitive data.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal sensitive data, and establish persistence. The use of LOLBins can bypass application control, making detection more challenging. Depending on the scope of the attack, this could result in significant financial losses, reputational damage, and disruption of business operations. This is a high-severity finding due to the potential for attackers to gain full control over affected systems.

Recommendation

  • Enable Sysmon file creation logging (Event ID 11) to collect the necessary data for this detection.
  • Deploy the Sigma rule “Suspicious Managed Code Hosting Process” to your SIEM and tune for your environment.
  • Investigate any alerts generated by this rule, focusing on the file paths, process command lines, and parent processes involved.
  • Monitor for unexpected file creation events associated with processes like wscript.exe, cscript.exe, and mshta.exe in user-writable directories.
  • Implement application control policies to restrict the execution of LOLBins and other potentially malicious processes.
  • Correlate the detection with other security events to identify related malicious activity.
]]>highadvisorydefense-evasionwindowsmanaged codelolbin