{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/sysmon/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon","Crowdstrike","SentinelOne Cloud Funnel","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["powershell","malware","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to download a malicious payload from a remote server using commands like \u003ccode\u003eDownloadFile\u003c/code\u003e or \u003ccode\u003eDownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.\u003c/li\u003e\n\u003cli\u003ePowerShell is then used to decode or deobfuscate the payload using methods like \u003ccode\u003e[Convert]::FromBase64String\u003c/code\u003e or \u003ccode\u003e[char[]](...) -join ''\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated payload is executed directly in memory using techniques like \u003ccode\u003eiex\u003c/code\u003e (Invoke-Expression) or \u003ccode\u003eReflection.Assembly.Load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use techniques like \u003ccode\u003eWebClient\u003c/code\u003e to download files from a remote URL.\u003c/li\u003e\n\u003cli\u003eCommands like \u003ccode\u003enslookup -q=txt\u003c/code\u003e are used for command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eContinuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-susp-powershell-args/","summary":"This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.","title":"Suspicious Windows PowerShell Arguments Detected","url":"https://feed.craftedsignal.io/briefs/2024-09-susp-powershell-args/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["lolbas","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThe Windows command line debugging utility, cdb.exe, is a legitimate tool used for debugging applications. However, adversaries can exploit it to execute unauthorized commands or shellcode, bypassing security measures. This can be achieved by running cdb.exe from non-standard installation paths and using specific command-line arguments to execute malicious commands. The LOLBAS project documents this technique, highlighting its potential for defense evasion. This activity has been observed across various environments, necessitating detection strategies that focus on identifying anomalous executions of cdb.exe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies cdb.exe to a non-standard location (outside \u0026ldquo;Program Files\u0026rdquo; and \u0026ldquo;Program Files (x86)\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker executes cdb.exe with the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, or \u003ccode\u003e-pd\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eThese arguments are used to specify a command file or execute a direct command.\u003c/li\u003e\n\u003cli\u003eThe command file or command directly executes malicious code, such as shellcode.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as creating new processes, modifying files, or establishing network connections.\u003c/li\u003e\n\u003cli\u003eThese actions allow the attacker to maintain persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to evade defenses and execute arbitrary code on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute arbitrary commands and shellcode on the affected system, potentially leading to complete system compromise. This can result in data theft, installation of malware, or further propagation within the network. The technique is effective at bypassing application whitelisting and other security controls that rely on standard execution paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution via Windows Command Debugging Utility\u0026rdquo; to your SIEM to detect suspicious cdb.exe executions (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent execution of cdb.exe from non-standard paths.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, and \u003ccode\u003e-pd\u003c/code\u003e flags when cdb.exe is executed.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of cdb.exe running from unusual directories to determine legitimacy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-cdb-execution/","summary":"Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.","title":"Suspicious Execution via Windows Command Debugging Utility","url":"https://feed.craftedsignal.io/briefs/2024-07-cdb-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Sysmon","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike Falcon"],"_cs_severities":["medium"],"_cs_tags":["initial-access","rdp","phishing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\\Local\\Temp), and Outlook content cache (INetCache\\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email containing a malicious RDP file as an attachment.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the RDP file, initiating the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e attempts to establish a remote desktop connection based on the RDP file\u0026rsquo;s settings.\u003c/li\u003e\n\u003cli\u003eIf the connection is successful, the attacker gains unauthorized access to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker\u0026rsquo;s objectives and the scope of the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRemote Desktop File Opened from Suspicious Path\u003c/code\u003e to your SIEM and tune for your environment, focusing on the specified file paths and \u003ccode\u003emstsc.exe\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to capture the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e and the paths of the RDP files being opened.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.\u003c/li\u003e\n\u003cli\u003eImplement strict email filtering to block or quarantine emails with RDP attachments from external sources.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-rdp-file-attachment/","summary":"Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.","title":"Remote Desktop File Opened from Suspicious Path","url":"https://feed.craftedsignal.io/briefs/2024-11-rdp-file-attachment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Sysmon","Visual Studio Code"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","vscode","remote-access-tools","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","GitHub","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the misuse of Visual Studio Code\u0026rsquo;s (VScode) remote tunnel feature to establish unauthorized access or control over systems. While the VScode remote tunnel feature is designed to allow developers to connect to remote environments seamlessly, attackers can abuse this functionality for malicious purposes. The rule specifically looks for the execution of the VScode portable binary with the \u0026ldquo;tunnel\u0026rdquo; command-line option, which is indicative of an attempt to establish a remote tunnel session to either GitHub or a remote VScode instance. Successful exploitation can lead to command and control capabilities, allowing attackers to remotely manage and compromise the affected system. The rule aims to detect this suspicious behavior by monitoring process execution and command-line arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads a portable version of Visual Studio Code (VScode) onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the VScode binary with the \u003ccode\u003etunnel\u003c/code\u003e command-line argument to initiate a remote tunnel session.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies additional arguments such as \u003ccode\u003e--accept-server-license-terms\u003c/code\u003e to bypass license agreement prompts.\u003c/li\u003e\n\u003cli\u003eThe VScode tunnel attempts to establish a connection to a remote server, potentially a GitHub repository or a remote VScode instance controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eIf successful, the tunnel creates a persistent connection, allowing the attacker to execute commands and transfer files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to remotely access the compromised system, enabling them to perform malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access through the established tunnel, allowing for long-term command and control of the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a persistent command and control channel, enabling them to remotely manage the compromised system. This can lead to data theft, deployment of ransomware, or further lateral movement within the network. While the number of potential victims and specific sectors targeted are not explicitly stated, the widespread use of VScode makes a wide range of organizations vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Attempt to Establish VScode Remote Tunnel\u0026rdquo; rule to detect suspicious VScode tunnel activity in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the rule, focusing on the command-line arguments and process behaviors to confirm malicious intent.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from VScode processes for unusual or unauthorized connections to external servers.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate uses of VScode\u0026rsquo;s tunnel feature by authorized developers to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-vscode-tunnel/","summary":"The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.","title":"Detection of VScode Remote Tunneling for Command and Control","url":"https://feed.craftedsignal.io/briefs/2024-09-vscode-tunnel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Windows Defender Application Control","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["wdac","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Defender Application Control (WDAC) to disable or weaken endpoint defenses. By crafting malicious WDAC policies, adversaries can block legitimate security software and evade detection. This technique involves creating WDAC policy files (.p7b or .cip) in protected system directories using unauthorized processes. The activity often occurs when attackers have already gained a foothold in the system and are attempting to solidify their position. Successful deployment of a malicious WDAC policy can significantly hinder incident response and allow malware to operate undetected. This tactic has gained traction since late 2024, with offensive tools like Krueger demonstrating the potential for weaponizing WDAC against EDR solutions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative access, which is required to modify WDAC policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Creation:\u003c/strong\u003e The attacker crafts a malicious WDAC policy using tools or scripts. This policy is designed to block specific security products or processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The malicious policy is staged in a temporary location on the system, often within user-writable directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Placement:\u003c/strong\u003e The attacker moves the malicious WDAC policy file (.p7b or .cip) to a protected system directory, such as \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e or \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e. The tool used may be a Living-off-the-Land Binary (LOLBin) or a custom .NET assembly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivation:\u003c/strong\u003e The attacker triggers the activation of the new WDAC policy, which often requires a system reboot or the use of a service control utility.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Once the policy is active, the targeted security products are blocked, allowing the attacker to operate with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Objectives:\u003c/strong\u003e With defenses weakened, the attacker can move laterally within the network, exfiltrate data, or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting WDAC can severely impair an organization\u0026rsquo;s ability to detect and respond to threats. By blocking security software, attackers can operate with impunity, leading to data breaches, financial losses, and reputational damage. Observed damage includes disabled endpoint detection and response (EDR) solutions, allowing ransomware and other malware to execute without interference. The scope of impact can range from individual workstations to entire domains, depending on the breadth of the WDAC policy deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;WDAC Policy File by an Unusual Process\u0026rdquo; Sigma rule to your SIEM to detect unauthorized WDAC policy modifications.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events with extensions .p7b and .cip in \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e directories, specifically filtering for processes other than \u003ccode\u003epoqexec.exe\u003c/code\u003e, \u003ccode\u003eTiWorker.exe\u003c/code\u003e, and \u003ccode\u003eomadmclient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture file creation events and provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on WDAC policy directories to prevent unauthorized modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-wdac-policy-evasion/","summary":"Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.","title":"WDAC Policy File Creation by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-11-wdac-policy-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Sysmon","Windows Installer"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","msiexec"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft"],"content_html":"\u003cp\u003eAdversaries may abuse the Windows Installer service (msiexec.exe) to proxy the execution of malicious payloads, effectively bypassing application control and other security mechanisms. This technique, known as \u0026ldquo;Msiexec\u0026rdquo; proxy execution (T1218.007), involves using msiexec.exe to execute malicious DLLs or scripts. The detection focuses on identifying child processes spawned by MsiExec, particularly those exhibiting network activity. This behavior is atypical for legitimate software installations and updates, making it a strong indicator of potential malicious use. Defenders should be aware of this technique as it allows attackers to blend in with legitimate system processes. The Elastic detection rule, updated on 2026-05-04, aims to identify this suspicious activity across multiple data sources including Elastic Defend, Sysmon, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eAttacker leverages msiexec.exe to execute a malicious MSI package with a \u003ccode\u003e/v\u003c/code\u003e parameter, commonly used to pass verbose logging options, potentially hiding malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSI package contains custom actions that execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process (e.g., powershell.exe, cmd.exe, or another executable) to carry out malicious actions.\u003c/li\u003e\n\u003cli\u003eThe child process establishes a network connection to an external server or performs DNS lookups, possibly for command and control (C2) communication or to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the network connection to download and execute further tools or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass application control and execute arbitrary code on the system. This can lead to malware installation, data theft, or complete system compromise. While the exact number of victims is not specified in the provided source, the technique can be applied across various sectors. The impact can range from individual workstation compromises to large-scale breaches affecting entire organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMsiExec Child Process with Unusual Executable and Network Connection\u003c/code\u003e to detect suspicious msiexec.exe child processes initiating network connections based on unusual executable paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and network connection logging (Event ID 3) to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process tree, command-line arguments, and network destinations.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations and automated deployment tools that use MsiExec and require network access to minimize false positives, as detailed in the \u0026ldquo;False positive analysis\u0026rdquo; section of the source material.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-msiexec-network-connection/","summary":"Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.","title":"MsiExec Child Process Spawning Network Connections for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-10-msiexec-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","wbadmin","ntds.dit"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the execution of \u003ccode\u003ewbadmin.exe\u003c/code\u003e with arguments indicative of an attempt to access and dump the NTDS.dit file from a Windows domain controller. Attackers with sufficient privileges, specifically those belonging to groups like Backup Operators, can abuse the legitimate \u003ccode\u003ewbadmin.exe\u003c/code\u003e utility to create a backup of the Active Directory database (NTDS.dit). This file contains sensitive credential information, and once obtained, attackers can extract password hashes and compromise the entire domain. This activity is often part of a larger attack aimed at gaining persistent access and control over the network. The Elastic detection rule was published on 2024-06-05 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target network. This may be achieved through phishing, exploiting vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain membership in the Backup Operators group or a similar privileged group capable of running backups.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003erecovery\u003c/code\u003e argument, targeting the NTDS.dit file. The command line includes parameters to create a system state backup.\u003c/li\u003e\n\u003cli\u003eWbadmin creates a backup of the system state, including the NTDS.dit file, in a specified location.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the NTDS.dit file from the backup location to a separate location for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003entdsutil.exe\u003c/code\u003e or \u003ccode\u003esecretsdump.py\u003c/code\u003e to extract password hashes from the NTDS.dit file.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the password hashes or uses them in pass-the-hash attacks to gain access to other systems and resources within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves domain dominance and persistence, allowing them to control critical systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to dump credentials from the NTDS.dit file, leading to complete compromise of the Active Directory domain. This enables them to move laterally, access sensitive data, and establish persistent control over the environment. The impact can include data breaches, ransomware deployment, and long-term disruption of business operations. The medium risk score indicates that while the attack requires specific privileges, the consequences are significant if successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution as described in the Attack Chain (Data Source: Windows Security Event Logs, Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution with NTDS.dit related arguments in your SIEM (Rule: NTDS Dump via Wbadmin).\u003c/li\u003e\n\u003cli\u003eMonitor and restrict membership in privileged groups like Backup Operators to minimize the risk of abuse (Reference: \u003ca href=\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\"\u003ehttps://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate backup schedules or disaster recovery processes to reduce false positives (False positive analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-ntds-dump-wbadmin/","summary":"Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.","title":"NTDS Dump via Wbadmin","url":"https://feed.craftedsignal.io/briefs/2024-07-ntds-dump-wbadmin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eNetwork Level Authentication (NLA) is a security feature in Windows that requires users to authenticate before establishing a full RDP session, adding an extra layer of protection against unauthorized access. Attackers might attempt to disable NLA to gain access to the Windows sign-in screen without proper authentication. This tactic can facilitate the deployment of persistence mechanisms, such as leveraging Accessibility Features like Sticky Keys, or enable unauthorized remote access. This brief addresses the registry modifications associated with disabling NLA and provides detection strategies to identify such attempts. The references indicate that this technique is used in conjunction with other attacks for lateral movement within a compromised network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system is gained (potentially via compromised credentials or vulnerability exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to modify system-level settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\u003c/code\u003e to disable NLA.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUserAuthentication\u003c/code\u003e value is set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish an RDP connection to the compromised system.\u003c/li\u003e\n\u003cli\u003eDue to the disabled NLA, the attacker bypasses the initial authentication screen.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages accessibility features (e.g., Sticky Keys) for persistence or further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of NLA allows attackers to bypass authentication and gain unauthorized access to systems via RDP. This can lead to data theft, malware installation, or further lateral movement within the network. While the exact number of victims and sectors targeted are unspecified, the potential impact includes significant data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation and registry event logging to detect the registry modifications (Elastic Defend, Elastic Endgame, Microsoft Defender XDR, SentinelOne, Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to modify the \u003ccode\u003eUserAuthentication\u003c/code\u003e registry key (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eReview and harden RDP configurations across the environment to prevent unauthorized access (Microsoft documentation).\u003c/li\u003e\n\u003cli\u003eMonitor endpoint security policies to detect unauthorized registry modifications (Endpoint Security Policies).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-disable-nla/","summary":"Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.","title":"Network-Level Authentication (NLA) Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-nla/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["high"],"_cs_tags":["credential-access","netsh","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often target wireless credentials to gain unauthorized network access. This involves using the legitimate Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to extract Wi-Fi passwords stored on a compromised system. By leveraging \u003ccode\u003enetsh\u003c/code\u003e, attackers can bypass traditional security measures and retrieve sensitive information without deploying custom malware. The technique involves specific command-line arguments that instruct \u003ccode\u003enetsh\u003c/code\u003e to display wireless keys in cleartext, exposing the network passwords. Defenders must monitor \u003ccode\u003enetsh\u003c/code\u003e command-line activity to identify potential credential access attempts. This activity can lead to lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to list available wireless profiles.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target wireless profile from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e again, this time specifying the target profile and requesting the key to be displayed in cleartext using the \u003ccode\u003ekey=clear\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNetsh.exe\u003c/code\u003e retrieves the Wi-Fi password from the Windows Wireless LAN service.\u003c/li\u003e\n\u003cli\u003eThe password is displayed in the command output, which the attacker captures.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained Wi-Fi password to connect to the wireless network.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform lateral movement and access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential dumping allows attackers to gain unauthorized access to wireless networks. This can lead to lateral movement within the organization\u0026rsquo;s network, access to sensitive data, and further compromise of systems and resources. The impact includes potential data breaches, financial losses, and reputational damage. This technique allows attackers to bypass traditional network access controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Wireless Credential Dumping via Netsh\u003c/code\u003e to identify suspicious \u003ccode\u003enetsh.exe\u003c/code\u003e commands in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003enetsh.exe\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process lineage and user context as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies for Wi-Fi networks, including the use of WPA2 or WPA3 encryption.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e on systems where it is not required, using application control solutions.\u003c/li\u003e\n\u003cli\u003eMonitor for related alerts indicating lateral movement, staging, remote access, or persistence, as mentioned in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wireless-creds-dumping/","summary":"Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.","title":"Wireless Credential Dumping via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wireless-creds-dumping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Elastic Endgame","Sysmon"],"_cs_severities":["low"],"_cs_tags":["privilege-escalation","unquoted-service-path","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eUnquoted service paths in Windows can be exploited to escalate privileges. When a service path lacks quotes, Windows may execute a malicious executable placed in a higher-level directory. This detection rule identifies suspicious processes starting from common unquoted paths, like \u0026ldquo;C:\\Program.exe\u0026rdquo; or executables within \u0026ldquo;C:\\Program Files (x86)\\\u0026rdquo; or \u0026ldquo;C:\\Program Files\\\u0026rdquo;, signaling potential exploitation attempts. The rule aims to detect early stages of privilege escalation threats. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, Windows Security Event Logs, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a service running with an unquoted path, such as \u0026ldquo;C:\\Program Files\\Unquoted Path Service\\Common\\Service.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious executable named \u0026ldquo;Program.exe\u0026rdquo; in \u0026ldquo;C:\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to start the service \u0026ldquo;C:\\Program Files\\Unquoted Path Service\\Common\\Service.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDue to the unquoted path, the OS incorrectly parses the path and first attempts to execute \u0026ldquo;C:\\Program.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe malicious \u0026ldquo;Program.exe\u0026rdquo; executes with the privileges of the service account.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs actions to escalate privileges, such as adding a user to the local administrators group.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of an unquoted service path vulnerability can lead to complete system compromise, as the attacker gains the privileges of the service account. This can allow the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. The impact is high, potentially leading to a loss of confidentiality, integrity, and availability of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview process executable paths to confirm if they match the patterns specified in the rule query, such as \u0026ldquo;?:\\Program.exe\u0026rdquo; or executables within \u0026ldquo;C:\\Program Files (x86)\\\u0026rdquo; or \u0026ldquo;C:\\Program Files\\\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Exploitation of an Unquoted Service Path Vulnerability\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging with Event ID 1 to activate the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eConduct a thorough review of service configurations to identify and correct any unquoted service paths as part of remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"/briefs/2024-01-29-unquoted-service-path/","summary":"This rule detects potential exploitation of unquoted service path vulnerabilities, where adversaries may escalate privileges by placing a malicious executable in a higher-level directory within the path of an unquoted service executable.","title":"Potential Exploitation of an Unquoted Service Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-unquoted-service-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Endpoint Security","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can disable the Antimalware Scan Interface (AMSI) to evade detection by modifying the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key. This technique is commonly employed to execute malicious scripts without triggering security warnings or blocks. The AMSI, a Windows feature, allows applications and services to request the scanning of potentially malicious content (e.g., PowerShell scripts, JScript) before execution. By setting the \u003ccode\u003eAmsiEnable\u003c/code\u003e value to 0, an attacker can disable AMSI for the current user, effectively bypassing real-time script scanning. This action is often a precursor to deploying further malicious payloads or establishing persistence on a compromised system. This behavior has been observed since at least 2019 and continues to be a relevant defense evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or binary that attempts to modify the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe script or binary uses \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell, or another tool to set the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry value to 0. The registry key location is typically \u003ccode\u003eHKEY_USERS\\\u0026lt;SID\u0026gt;\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter successfully disabling AMSI, the attacker proceeds to execute malicious scripts or code. These scripts may use \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious scripts download and execute additional payloads, such as malware or remote access tools (RATs).\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network using the compromised system as a pivot.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence, ensuring continued access to the system even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key allows attackers to execute malicious scripts without triggering AMSI alerts, leading to potential malware infections, data breaches, and system compromise. Disabling AMSI significantly reduces the effectiveness of endpoint security solutions, making the system more vulnerable to attack. The impact can range from individual workstation compromise to widespread network infections, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Registry Events\u003c/code\u003e to your SIEM to detect modifications to the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes modifying registry keys, especially \u003ccode\u003ereg.exe\u003c/code\u003e and PowerShell, using the rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Process Creation\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly to determine if the activity is malicious or legitimate.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted scripts and binaries.\u003c/li\u003e\n\u003cli\u003eHarden systems by restricting user permissions to modify critical registry keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:23:00Z","date_published":"2024-01-27T18:23:00Z","id":"/briefs/2024-01-amsi-registry-disable/","summary":"Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.","title":"AMSI Enable Registry Key Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-registry-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame","Sysmon","AA_v*.exe","AeroAdmin.exe","AnyDesk.exe","apc_Admin.exe","apc_host.exe","AteraAgent.exe","aweray_remote*.exe","AweSun.exe","AgentMon.exe","B4-Service.exe","BASupSrvc.exe","bomgar-scc.exe","domotzagent.exe","domotz-windows-x64-10.exe","dwagsvc.exe","DWRCC.exe","ImperoClientSVC.exe","ImperoServerSVC.exe","ISLLight.exe","ISLLightClient.exe","fleetdeck_commander*.exe","getscreen.exe","g2aservice.exe","GoToAssistService.exe","gotohttp.exe","jumpcloud-agent.exe","level.exe","LvAgent.exe","LMIIgnition.exe","LogMeIn.exe","Lunixar.exe","LunixarRemote.exe","LunixarUpdater.exe","ManageEngine_Remote_Access_Plus.exe","MeshAgent.exe","Mikogo-Service.exe","NinjaRMMAgent.exe","NinjaRMMAgenPatcher.exe","ninjarmm-cli.exe","parsec.exe","PService.exe","quickassist.exe","r_server.exe","radmin.exe","radmin3.exe","RCClient.exe","RCService.exe","RemoteDesktopManager.exe","RemotePC.exe","RemotePCDesktop.exe","RemotePCService.exe","rfusclient.exe","ROMServer.exe","ROMViewer.exe","RPCSuite.exe","rserver3.exe","rustdesk.exe","rutserv.exe","rutview.exe","saazapsc.exe","ScreenConnect*.exe","session_win.exe","Remote Support.exe","smpcview.exe","spclink.exe","Splashtop-streamer.exe","Syncro.Overmind.Service.exe","SyncroLive.Agent.Runner.exe","SRService.exe","strwinclt.exe","Supremo.exe","SupremoService.exe","tacticalrmm.exe","tailscale.exe","tailscaled.exe","teamviewer.exe","ToDesk_Service.exe","twingate.exe","TiClientCore.exe","TSClient.exe","tvn.exe","tvnserver.exe","tvnviewer.exe","UltraVNC*.exe","UltraViewer*.exe","vncserver.exe","vncviewer.exe","winvnc.exe","winwvc.exe","Zaservice.exe","ZohoURS.exe","Velociraptor.exe","ToolsIQ.exe","CagService.exe","ScreenConnect.ClientService.exe","TiAgent.exe","GoToResolveProcessChecker.exe","GoToResolveUnattended.exe","Syncro.Installer.exe"],"_cs_severities":["medium"],"_cs_tags":["remote-access","rmm","command-and-control","persistence"],"_cs_type":"advisory","_cs_vendors":["Elastic","Action1 Corporation","AeroAdmin LLC","Ammyy LLC","Atera Networks Ltd","AWERAY PTE. LTD.","BeamYourScreen GmbH","Bomgar Corporation","DUC FABULOUS CO.,LTD","DOMOTZ INC.","DWSNET OÜ","FleetDeck Inc","GlavSoft LLC","Hefei Pingbo Network Technology Co. Ltd","IDrive, Inc.","IMPERO SOLUTIONS LIMITED","Instant Housecall","ISL Online Ltd.","LogMeIn, Inc.","LUNIXAR SAS DE CV","MMSOFT Design Ltd.","Nanosystems S.r.l.","NetSupport Ltd","NinjaRMM, LLC","Parallels International GmbH","philandro Software GmbH","Pro Softnet Corporation","RealVNC","Remote Utilities LLC","Rocket Software, Inc.","SAFIB","Servably, Inc.","ShowMyPC INC","Splashtop Inc.","Superops Inc.","TeamViewer","Techinline Limited","uvnc bvba","Yakhnovets Denis Aleksandrovich IP","Zhou Huabing","ZOHO Corporation Private Limited","Connectwise, LLC","BreakingSecurity.net","Tailscale","Twingate","RustDesk","Zoho","JumpCloud","ScreenConnect","GoTo"],"content_html":"\u003cp\u003eAttackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.\u003c/li\u003e\n\u003cli\u003ePersistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the process creation rule to detect the execution of RMM tools on endpoints based on \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e criteria in the query.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-first-time-seen-rmm/","summary":"Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.","title":"First Time Seen Remote Monitoring and Management Tool Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endgame","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","registry-dump","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to export registry hives containing sensitive credential information using the Windows \u003ccode\u003ereg.exe\u003c/code\u003e utility. Attackers may target the \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e hives to extract stored credentials, including password hashes and LSA secrets. The activity is often part of a broader credential access campaign. The rule focuses on detecting the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with specific arguments indicating an attempt to save or export these critical registry hives. The use of \u003ccode\u003ereg.exe\u003c/code\u003e makes this technique accessible to various threat actors, including ransomware groups and nation-state actors. Defenders need to monitor for this activity to prevent unauthorized credential access and potential lateral movement within the network. This rule specifically looks for \u0026ldquo;save\u0026rdquo; and \u0026ldquo;export\u0026rdquo; arguments targeting SAM and SECURITY hives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ereg.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereg.exe\u003c/code\u003e command includes arguments to save or export registry hives.\u003c/li\u003e\n\u003cli\u003eThe target registry hives are \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e, containing sensitive credential information.\u003c/li\u003e\n\u003cli\u003eThe exported registry hive is saved to a file on disk or a network share.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress or encrypt the exported registry hive to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported registry hive for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credential information from the registry hive, such as password hashes and LSA secrets, to use in lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to acquire sensitive credentials stored within the registry. This can lead to lateral movement within the network, privilege escalation, and ultimately, data exfiltration or system compromise. Compromised credentials can be used to access critical systems and data, causing significant damage to the organization. The impact is considered high due to the potential for widespread access and control over the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation auditing with command line arguments to capture the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with relevant arguments. (\u003ca href=\"https://ela.st/audit-process-creation\"\u003eData Source: Windows Security Event Logs, Sysmon\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Registry Hive Export via Reg.exe\u003c/code\u003e to your SIEM to detect the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with arguments indicative of registry hive dumping.\u003c/li\u003e\n\u003cli\u003eImplement access controls and monitor file system activity to detect unauthorized access or modification of registry hive files.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003ereg.exe\u003c/code\u003e to authorized personnel and processes.\u003c/li\u003e\n\u003cli\u003eMonitor for parent processes of \u003ccode\u003ereg.exe\u003c/code\u003e that are unusual or unexpected, which might indicate malicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the process command line, parent process, and destination of the exported registry hive.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-registry-hive-dump/","summary":"Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.","title":"Credential Acquisition via Registry Hive Dumping","url":"https://feed.craftedsignal.io/briefs/2024-01-24-registry-hive-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-sandbox","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may abuse the Windows Sandbox feature to evade detection by running malicious code within the isolated environment. This involves configuring the sandbox with sensitive options such as granting write access to the host file system, enabling network connections, and setting up automatic command execution via logon. By running within the sandbox with these configurations, malware can potentially interact with the host system, while making detection more difficult. This technique is used for defense evasion, hiding artifacts, and executing malicious activities within a virtualized environment to avoid direct exposure on the host. The rule identifies the start of a new container with sensitive configurations like write access to the host file system, network connection and automatic execution via logon command.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages Windows Sandbox by executing \u003ccode\u003ewsb.exe\u003c/code\u003e or \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the sandbox to enable networking using \u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker grants the sandbox write access to the host file system using \u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a logon command to automatically execute malicious code when the sandbox starts using \u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe sandbox initializes and executes the configured logon command.\u003c/li\u003e\n\u003cli\u003eThe malicious code interacts with the host file system and network, performing actions such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying ransomware or stealing sensitive information, while operating from within the isolated sandbox environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using Windows Sandbox abuse can lead to a range of negative impacts. Attackers may gain unauthorized access to sensitive data, compromise system integrity, or disrupt business operations. The use of the sandbox environment helps to conceal malicious activity, making detection and remediation more challenging. The damage can include data breaches, financial losses, reputational damage, and regulatory penalties. Successful exploitation allows malware to interact with the host system, potentially affecting multiple systems on the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Windows Sandbox with Sensitive Configuration\u0026rdquo; detection rule to your SIEM to identify potential sandbox abuse attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable networking (\u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable write access to the host file system (\u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that define logon commands (\u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-10T12:00:00Z","date_published":"2024-01-10T12:00:00Z","id":"/briefs/2024-01-windows-sandbox-abuse/","summary":"This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.","title":"Windows Sandbox Abuse with Sensitive Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-sandbox-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["m365_defender","Elastic Defend","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["process_injection","privilege_escalation","defense_evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Service Host process (svchost.exe) is a critical system component that hosts multiple Windows services to optimize resource utilization. Certain services running under svchost.exe are not expected to spawn child processes. Attackers may inject malicious code into these \u0026ldquo;childless\u0026rdquo; svchost processes to execute unauthorized commands and evade traditional detection methods. This detection rule identifies anomalies by monitoring child processes of svchost.exe instances associated with services known to be childless, such as \u003ccode\u003eWdiSystemHost\u003c/code\u003e, \u003ccode\u003eLicenseManager\u003c/code\u003e, and \u003ccode\u003eStorSvc\u003c/code\u003e, flagging potential process injection or exploitation attempts. The rule aims to identify deviations from the expected behavior of these services, providing an early warning of potential malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through an exploit or by leveraging existing credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a running svchost.exe process associated with a childless service like \u003ccode\u003eWdiSystemHost\u003c/code\u003e or \u003ccode\u003eStorSvc\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected code spawns a child process from the targeted svchost.exe instance. This could involve executing a system utility or a custom payload.\u003c/li\u003e\n\u003cli\u003eThe child process executes commands or performs actions dictated by the injected code, such as establishing a reverse shell or downloading additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the spawned process to perform reconnaissance activities, gathering information about the system and network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, potentially leveraging vulnerabilities or misconfigurations accessible from the compromised svchost process.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network, using the compromised system as a pivot point.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to privilege escalation, allowing attackers to gain control of the compromised system and potentially the entire network. Attackers can use the compromised system as a staging ground for further attacks, exfiltrate sensitive data, deploy ransomware, or disrupt critical services. The medium severity score reflects the potential for significant impact if the activity is not detected and contained promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual Svchost Child Process - Childless Service\u003c/code\u003e to your SIEM to detect potential process injection attacks targeting svchost.exe.\u003c/li\u003e\n\u003cli\u003eTune the rule by adding known false positives to the exclusion list, such as \u003ccode\u003eWerFault.exe\u003c/code\u003e, \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e, and \u003ccode\u003ewermgr.exe\u003c/code\u003e to reduce alert fatigue.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon (Event ID 1) with command line details for better visibility into spawned processes, as described in the \u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003esetup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on the process details and parent-child relationships to determine the legitimacy of the spawned process.\u003c/li\u003e\n\u003cli\u003eConsider using endpoint detection and response (EDR) solutions like Elastic Defend for enhanced visibility and automated response capabilities, as the rule is designed for data generated by \u003ca href=\"https://www.elastic.co/security/endpoint-security\"\u003eElastic Defend\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-unusual-svchost-child-process/","summary":"This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.","title":"Unusual Service Host Child Process - Childless Service","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-svchost-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft HTML Help system","Elastic Defend","Microsoft Defender XDR","Sysmon","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","compiled-html","windows","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers are known to deliver malicious payloads within compiled HTML files (.chm) to bypass security measures and gain initial access to systems. This technique leverages the Microsoft HTML Help system and its associated executable, hh.exe, to proxy the execution of malicious code. Compiled HTML files can contain various types of content, including HTML documents, images, and scripting languages like VBA, JScript, Java, and ActiveX. By embedding malicious scripts or executables within a .chm file, attackers can trick users into executing them when they open the file. This is particularly effective because hh.exe is a signed binary, which may allow it to bypass certain security controls. The scope of this technique affects Windows systems where the HTML Help system is installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .chm file containing embedded malicious code, such as a PowerShell script or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the .chm file to the victim via social engineering, such as phishing or malicious websites.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .chm file, causing hh.exe to launch.\u003c/li\u003e\n\u003cli\u003ehh.exe processes the .chm file, rendering its content, which includes the embedded malicious script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, often spawning a scripting interpreter like \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe scripting interpreter executes commands to download additional payloads or perform malicious actions on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and moves laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, code execution, and potentially full system compromise. This can result in data theft, malware installation, and further lateral movement within the network. The severity and impact depend on the permissions of the user running hh.exe and the nature of the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Compiled HTML File Spawning Suspicious Processes\u0026rdquo; to your SIEM to detect instances where \u003ccode\u003ehh.exe\u003c/code\u003e is the parent process of scripting interpreters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process execution chains for unknown processes originating from \u003ccode\u003ehh.exe\u003c/code\u003e, as mentioned in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement email filtering and security awareness training to prevent users from opening malicious .chm files delivered via phishing.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted executables in the environment to reduce the risk of malicious code execution.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to detect and respond to malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-compiled-html-execution/","summary":"Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.","title":"Process Activity via Compiled HTML File Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild","Elastic Defend","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used for building applications. However, adversaries may abuse MSBuild to execute malicious scripts or compile code, effectively bypassing security controls. This technique is often employed to deploy malicious payloads. This detection focuses on identifying instances where MSBuild initiates unusual processes such as PowerShell, Internet Explorer, or the Visual C# Command Line Compiler (csc.exe). This activity is considered suspicious because legitimate software development workflows do not typically involve MSBuild directly spawning these processes. The original Elastic detection rule was created on 2020-03-25 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates an MSBuild project file (.csproj or .sln) containing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSBuild project file is crafted to execute a script or compile code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the MSBuild.exe or msbuild.exe utility to execute the malicious project file.\u003c/li\u003e\n\u003cli\u003eMSBuild spawns an unusual process such as powershell.exe, csc.exe, or iexplore.exe based on the malicious project file configuration.\u003c/li\u003e\n\u003cli\u003ePowerShell executes arbitrary commands, downloads further payloads, or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe C# compiler (csc.exe) compiles malicious code into an executable or library.\u003c/li\u003e\n\u003cli\u003eThe compiled malware or downloaded payloads execute, leading to further compromise, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to deploy malware, compromise sensitive data, and establish persistence on the targeted system. The use of MSBuild for malicious purposes allows attackers to bypass application whitelisting and other security controls that trust signed Microsoft binaries. While the precise number of victims is unknown, this technique can be employed against a wide range of organizations, particularly those with vulnerable systems or inadequate endpoint protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging, specifically including parent-child relationships, to detect unusual process spawning by MSBuild (logs-endpoint.events.process-*, logs-system.security*, logs-windows.forwarded*, logs-windows.sysmon_operational-*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started an Unusual Process\u0026rdquo; to your SIEM to identify instances of MSBuild spawning suspicious processes, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild spawning PowerShell, csc.exe, or iexplore.exe to determine if the activity is legitimate or malicious (process.name:(\u0026ldquo;csc.exe\u0026rdquo; or \u0026ldquo;iexplore.exe\u0026rdquo; or \u0026ldquo;powershell.exe\u0026rdquo;)).\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to MSBuild project files (.proj or .sln) for signs of tampering.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-msbuild-unusual-process/","summary":"Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.","title":"MSBuild запускает необычные процессы","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-unusual-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["enumeration","wmi","discovery","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can leverage the Windows Management Instrumentation (WMI) to execute commands for reconnaissance and enumeration within a compromised system. This involves spawning native Windows tools via the WMI Provider Service (WMIPrvSE). This activity is often used to gather system and network information in a stealthy manner, which could be part of a larger attack, such as lateral movement or privilege escalation. This behavior matters because it allows adversaries to gather information about the target environment without using easily detectable methods, potentially leading to further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to execute a reconnaissance command.\u003c/li\u003e\n\u003cli\u003eWMIPrvSE.exe is invoked to execute the attacker\u0026rsquo;s specified command.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands such as \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e via WMIPrvSE.exe to gather network configuration details, user information, and system information.\u003c/li\u003e\n\u003cli\u003eThe enumerated information is collected and potentially exfiltrated to a command and control server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to identify further targets within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems using stolen credentials or exploited vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of enumeration commands via WMIPrvSE allows attackers to gather sensitive information about the system and network environment. This information can be used to facilitate lateral movement, privilege escalation, and data theft, potentially leading to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of enumeration commands (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Enumeration Command Spawned via WMIPrvSE\u0026rdquo; to your SIEM to detect suspicious WMIPrvSE activity (Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of WMIPrvSE spawning common enumeration tools such as \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement following successful enumeration (Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-wmiprvse-enumeration/","summary":"This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.","title":"Suspicious Enumeration Commands Spawned via WMIPrvSE","url":"https://feed.craftedsignal.io/briefs/2024-01-wmiprvse-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["persistence","startup","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers often leverage the Windows Startup folder to maintain persistence, as any executable placed in this folder will automatically run when a user logs into the system. This technique is particularly effective because it requires no user interaction and can easily be automated. This rule detects when processes commonly abused by attackers, such as cmd.exe, powershell.exe, or mshta.exe, write or modify files within the Startup folders. The rule focuses on identifying unauthorized persistence mechanisms and helps defenders uncover potentially compromised systems. By monitoring file creation events in the Startup folders by suspicious processes, this detection aims to catch malicious activity early in the attack chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command shell (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command shell to write a malicious executable or script file to one of the Windows Startup folders (\u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\u003c/code\u003e or \u003ccode\u003eC:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the file attributes (e.g., using \u003ccode\u003eattrib.exe\u003c/code\u003e) to hide the file or make it more difficult to detect.\u003c/li\u003e\n\u003cli\u003eThe attacker schedules a reboot or waits for the user to log off and back on.\u003c/li\u003e\n\u003cli\u003eUpon user logon, the malicious executable or script in the Startup folder is automatically executed.\u003c/li\u003e\n\u003cli\u003eThe malicious code establishes persistence, potentially downloading additional payloads or establishing a command and control (C2) channel.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised system, enabling further malicious activities such as data theft or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to persistent access on the compromised system, allowing attackers to maintain their foothold even after system reboots. This can lead to data exfiltration, installation of ransomware, or further propagation within the network. The number of affected systems depends on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally. Sectors commonly targeted by persistence techniques include finance, healthcare, and government.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to capture file creation events, as referenced in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Process Writing to Startup Folder\u003c/code\u003e to your SIEM to detect suspicious processes creating files in the startup folder, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is malicious, referencing the \u003ca href=\"#note\"\u003einvestigation guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eBlock the processes listed in the rule (\u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, etc.) from writing to the startup folders if legitimate use is not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-startup-persistence/","summary":"Adversaries may establish persistence by writing malicious files to the Windows Startup folder, allowing them to automatically execute upon user logon; this detection identifies suspicious processes creating files in these locations.","title":"Suspicious Process Writing to Startup Folder for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-startup-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Sysmon"],"_cs_severities":["medium"],"_cs_tags":["windows","wmi","script_execution","initial_access","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the use of Windows script interpreters (cscript.exe or wscript.exe) to execute processes via Windows Management Instrumentation (WMI). Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters. The rule monitors for these interpreters executing processes via WMI, specifically when initiated by non-system accounts, indicating potential malicious intent. The detection focuses on identifying scenarios where \u003ccode\u003ewmiutils.dll\u003c/code\u003e is loaded by \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e, followed by \u003ccode\u003ewmiprvse.exe\u003c/code\u003e spawning a new process. This is often associated with malicious initial access or execution techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via phishing (T1566) or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script, such as VBScript or JavaScript (T1059.005, T1059.007), to execute commands using WMI.\u003c/li\u003e\n\u003cli\u003eThe script interpreter (\u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e) loads \u003ccode\u003ewmiutils.dll\u003c/code\u003e to interact with WMI.\u003c/li\u003e\n\u003cli\u003eThe WMI Provider Host process (\u003ccode\u003ewmiprvse.exe\u003c/code\u003e) is invoked as a parent process, triggered by the script execution.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmiprvse.exe\u003c/code\u003e executes a secondary process, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, or other executables, often from unusual locations like \u003ccode\u003eC:\\\\Users\\\\\u003c/code\u003e or \u003ccode\u003eC:\\\\ProgramData\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed process performs malicious actions, such as downloading additional payloads or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often lateral movement, data exfiltration, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code, bypass security controls, and establish persistence on the compromised system. The use of WMI enables stealthy execution, making detection challenging. The impact can range from data theft and system compromise to full network takeover. In some cases, threat actors may deploy ransomware, leading to significant financial losses and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to provide the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;WMI Scripting Process Creation\u0026rdquo; to detect suspicious process creation events originating from \u003ccode\u003ewmiprvse.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rule \u0026ldquo;WMI Scripting Process Creation\u0026rdquo; with a focus on processes spawned by wmiprvse.exe from unusual locations or with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement endpoint protection policies to block or alert on the execution of high-risk processes when initiated by non-system accounts as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eRegularly review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-script-execution/","summary":"The rule identifies the use of Windows script interpreters (cscript.exe or wscript.exe) executing a process via Windows Management Instrumentation (WMI), which may indicate malicious activity, especially when initiated by non-system accounts.","title":"Windows Script Interpreter Executing Process via WMI","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe legacy Windows AT command allows scheduling tasks for execution. While deprecated since Windows 8 and Windows Server 2012, it remains present for backwards compatibility. Attackers may enable the AT command through registry modifications to achieve persistence or lateral movement within a network. This technique bypasses modern security controls and can be difficult to detect without specific monitoring. The detection rule monitors registry changes enabling this command, flagging potential misuse by checking specific registry paths and values indicative of enabling the AT command. The use of this command allows an attacker to execute commands with elevated privileges, potentially compromising the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enable the AT command by modifying the registry.\u003c/li\u003e\n\u003cli\u003eThe registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e is modified to a value of \u0026ldquo;1\u0026rdquo; or \u0026ldquo;0x00000001\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AT command to schedule a malicious task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a command or script, such as downloading and executing malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eEnabling the AT command can lead to unauthorized task scheduling, malware execution, persistence, and lateral movement within a network. Successful exploitation can compromise sensitive data, disrupt operations, and grant attackers persistent access to critical systems. The use of a deprecated command makes it harder to detect, increasing the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry events for modifications to \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e as described in the rule overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and registry event logging to activate the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-at-command-enabled/","summary":"Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.","title":"Windows Scheduled Tasks AT Command Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-at-command-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","root certificate","mitm"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers can install malicious root certificates to subvert trust controls and bypass security measures. Once a malicious root certificate is installed, attackers can sign malicious files, making them appear as legitimate software from trusted vendors like Microsoft. This allows the attacker to execute code undetected and maintain persistence on the system. Furthermore, a rogue root certificate can be used in adversary-in-the-middle attacks to decrypt SSL traffic, enabling the collection of sensitive data. This activity is typically achieved through registry modifications. Monitoring for these modifications can help security teams identify potential compromise attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to administrator or SYSTEM level, required to modify the trusted root certificate store.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like certutil.exe or PowerShell to import a malicious root certificate into the Windows registry.\u003c/li\u003e\n\u003cli\u003eThe registry keys \u003ccode\u003eHKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\u003c/code\u003e or \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\u003c/code\u003e are modified to add the new certificate.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly installed root certificate to sign malicious executables or scripts.\u003c/li\u003e\n\u003cli\u003eThe signed malicious files are executed, bypassing signature-based detection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts and decrypts SSL traffic, collecting sensitive data like credentials or financial information.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the trusted certificate to repeatedly sign and execute malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful installation of a malicious root certificate allows attackers to bypass security controls, leading to the execution of arbitrary code and potential data theft. This can result in significant data breaches, financial losses, and reputational damage. Attackers can use this technique to maintain a long-term presence on compromised systems, making detection and remediation more challenging. While no specific victim counts are available, the technique is broadly applicable across many sectors and can affect any organization running Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Root Certificate Modification\u0026rdquo; to your SIEM to detect registry modifications related to root certificate installation.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on processes modifying the registry keys related to root certificates.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False Positives\u0026rdquo; section in the rule documentation to tune the Sigma rule for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious SSL decryption activity following the detection of a root certificate modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-root-cert-modification/","summary":"The modification of root certificates on Windows systems by unauthorized processes can allow attackers to masquerade malicious files as valid signed components and intercept/decrypt SSL traffic, leading to defense evasion and data collection.","title":"Windows Root Certificate Modification Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-root-cert-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame","Sysmon","Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious usage of \u003ccode\u003escrobj.dll\u003c/code\u003e, a legitimate Windows library, when loaded into unusual Microsoft processes. Attackers may exploit \u003ccode\u003escrobj.dll\u003c/code\u003e to execute malicious scriptlets within trusted processes, thereby evading detection. This technique allows adversaries to proxy execution through trusted system binaries. The rule focuses on detecting anomalous activity by excluding common executables, and flagging only non-standard processes loading \u003ccode\u003escrobj.dll\u003c/code\u003e. The detection logic is based on identifying image load events where \u003ccode\u003escrobj.dll\u003c/code\u003e is loaded into unexpected processes, indicating a potential misuse of the library. The rule is designed for data generated by Elastic Defend, Elastic Endgame, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or deploys a malicious scriptlet designed to execute malicious commands or payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a non-standard or less common Microsoft process to load \u003ccode\u003escrobj.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escrobj.dll\u003c/code\u003e is loaded into the target process, enabling the execution of scriptlets.\u003c/li\u003e\n\u003cli\u003eThe malicious scriptlet executes within the context of the trusted Microsoft process, bypassing application whitelisting or other security controls.\u003c/li\u003e\n\u003cli\u003eThe scriptlet performs malicious actions, such as downloading additional payloads, modifying system configurations, or establishing command and control communication.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as data exfiltration, lateral movement, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially leading to full system compromise. This could result in data theft, system corruption, or further propagation of the attack within the network. The impact is significant because it allows malware to operate under the guise of legitimate system processes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Scrobj.dll Image Load\u003c/code\u003e to your SIEM to detect this activity (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eSuspicious Scrobj.dll Image Load\u003c/code\u003e to determine the legitimacy of the \u003ccode\u003escrobj.dll\u003c/code\u003e loading activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on processes identified in the detection rule.\u003c/li\u003e\n\u003cli\u003eContinuously audit scheduled tasks and exclude known safe processes from the detection rule to minimize false positives, as described in the rule\u0026rsquo;s Triage and Analysis section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-scrobj-load/","summary":"Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.","title":"Suspicious Script Object Execution via scrobj.dll","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-scrobj-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","registry-modification","ssp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can abuse the Windows Security Support Provider (SSP) mechanism to establish persistence on a compromised system. SSPs are DLLs loaded into the Local Security Authority Subsystem Service (LSASS) process, which handles authentication in Windows. By modifying specific registry keys related to SSP configuration, attackers can force LSASS to load malicious DLLs at startup, effectively creating a persistent backdoor. This technique is often used to maintain unauthorized access to a system even after a reboot. The registry keys of interest are \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e and \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e. Successful exploitation allows the attacker to intercept and manipulate authentication credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through an exploit or compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e to include a path to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e to include a path to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a system reboot, or restarts the LSASS process, causing the malicious SSP DLL to be loaded.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts authentication credentials and exfiltrates them or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system, even after reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence and potentially compromise sensitive credentials handled by LSASS. This can lead to lateral movement within the network, data exfiltration, and further system compromise. The impact is significant as it bypasses standard security measures and provides a persistent foothold for malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious SSP Registry Modification\u0026rdquo; to your SIEM to detect unauthorized modifications to SSP registry keys.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eContinuously monitor for unexpected processes writing to the \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e and \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e registry keys.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installers that frequently modify these registry entries to reduce false positives as mentioned in the brief.\u003c/li\u003e\n\u003cli\u003eEnsure access controls and permissions are strictly enforced to limit unauthorized modification of critical registry paths related to Security Support Providers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-ssp-registry-modification/","summary":"Adversaries may modify the Windows Security Support Provider (SSP) configuration in the registry to establish persistence or evade defenses.","title":"Suspicious Modifications to Windows Security Support Provider (SSP) Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-ssp-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Antimalware Service Executable","Windows Defender","Microsoft Security Client","Elastic Defend","CrowdStrike Falcon","Microsoft Defender XDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances. Attackers may attempt to evade defenses through DLL side-loading or by masquerading as the antimalware process. This technique is used to blend in with legitimate system activity and avoid detection by security tools. This rule is designed to detect instances where MsMpEng.exe is executed from unexpected locations or has been renamed, potentially indicating malicious activity. The rule leverages process monitoring data to identify deviations from the expected execution patterns of the antimalware service. This behavior has been seen associated with ransomware attacks, such as REvil.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious payload onto the system, placing it in a non-standard directory, such as a temporary folder or a user\u0026rsquo;s profile directory.\u003c/li\u003e\n\u003cli\u003eThe attacker renames or copies the legitimate MsMpEng.exe to the malicious payload\u0026rsquo;s location.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed or copied MsMpEng.exe from the non-standard location. This is intended to mimic legitimate activity and evade detection.\u003c/li\u003e\n\u003cli\u003eThe malicious MsMpEng.exe then loads a malicious DLL through DLL side-loading, which executes arbitrary code within the context of the antimalware process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as disabling security controls, escalating privileges, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, including the disabling of security controls, data theft, and ransomware deployment. This can result in significant financial losses, reputational damage, and disruption of business operations. Identifying and responding to this type of attack is critical to prevent further damage. The Sophos article references the REvil ransomware attack which impacted hundreds of businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process execution events, including image path and command-line arguments, which are essential for detecting this behavior.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious MsMpEng.exe execution from unusual paths or renamed instances.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the MsMpEng.exe execution and identify any potential malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances where the process name is \u0026ldquo;MsMpEng.exe\u0026rdquo; but the executable path is outside the standard Windows Defender or Microsoft Security Client directories.\u003c/li\u003e\n\u003cli\u003eReview the references provided for additional context and guidance on investigating this type of activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-windefend-unusual-path/","summary":"Detects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.","title":"Suspicious Microsoft Antimalware Service Executable Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-windefend-unusual-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","windows"],"_cs_type":"advisory","_cs_vendors":["TeamViewer","LogMeIn","AnyDesk","ScreenConnect","ConnectWise","Splashtop","Zoho","RustDesk","n-able","Kaseya","BeyondTrust","Tailscale","JumpCloud","VNC","Datto","Auvik","SyncroMSP","Pulseway","NinjaOne","Liongard","Naverisk","Panorama9","Tactical RMM","MeshCentral","ISL Online","Goverlan","Iperius","Remotix","Mikogo","Action1","Elastic"],"content_html":"\u003cp\u003eThis detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows host through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or leverages an existing RMM tool on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).\u003c/li\u003e\n\u003cli\u003eThe compromised host establishes a connection to the resolved IP address associated with the RMM domain.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DNS Queries to Known RMM Domains from Non-Browser Processes\u0026rdquo; to your SIEM and tune the RMM domain list for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized RMM tools.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.\u003c/li\u003e\n\u003cli\u003eCorrelate with other alerts to identify potential compromises.\u003c/li\u003e\n\u003cli\u003eReview process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-dns-non-browser/","summary":"Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.","title":"Suspicious DNS Queries to RMM Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis rule detects the creation of scheduled tasks by Windows scripting engines, a tactic commonly employed by adversaries to establish persistence on compromised systems. The activity involves monitoring registry changes related to scheduled task actions and correlating them with script execution. Specifically, it looks for instances where cscript.exe, wscript.exe, powershell.exe, pwsh.exe or powershell_ise.exe are used to create or modify scheduled tasks. This behavior can be indicative of malicious activity, as legitimate software installations should not typically involve scripting engines directly creating scheduled tasks. Defenders should investigate any instances of this behavior to determine if it is malicious. The rule focuses on Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script (e.g., PowerShell, VBScript) on the target system.\u003c/li\u003e\n\u003cli\u003eThe script interacts with the \u003ccode\u003etaskschd.dll\u003c/code\u003e library to create or modify a scheduled task.\u003c/li\u003e\n\u003cli\u003eThe script modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions\u003c/code\u003e or \u003ccode\u003e\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions\u003c/code\u003e to define the actions performed by the scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload at a specific time or event.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes, providing the attacker with persistent access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the persistent access to perform further malicious activities, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to persistence on the compromised system, allowing attackers to maintain access even after reboots or user logoffs. This can facilitate long-term data theft, deployment of ransomware, or further compromise of the network. The impact depends on the privileges of the account under which the scheduled task runs, potentially granting SYSTEM level access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon ImageLoad events (Event ID 7) to detect when \u003ccode\u003etaskschd.dll\u003c/code\u003e is loaded by scripting engines (powershell.exe, cscript.exe, wscript.exe) as described in the \u003ca href=\"https://ela.st/sysmon-event-7-setup\"\u003eSysmon Event ID 7 setup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Registry Events to monitor changes to the registry paths associated with scheduled task actions as described in the \u003ca href=\"https://ela.st/sysmon-event-reg-setup\"\u003eSysmon Registry Events setup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect scheduled task creation by scripting engines and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the specific scripts and scheduled tasks involved.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-scheduled-task-scripting/","summary":"Detection of scheduled task creation by Windows scripting engines like cscript.exe, wscript.exe, or powershell.exe, used by adversaries to establish persistence on compromised systems.","title":"Scheduled Task Creation via Scripting","url":"https://feed.craftedsignal.io/briefs/2024-01-03-scheduled-task-scripting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon","Chrome","Edge","Firefox","Safari","Brave Browser","Opera Browser","Vivaldi Browser","WebView2"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","dns"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Mozilla","Apple","Brave","Opera","Vivaldi"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker installs an unauthorized RMM tool (e.g., using a script or installer).\u003c/li\u003e\n\u003cli\u003eThe RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRMM Domain DNS Queries from Non-Browser Processes\u003c/code\u003e to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the \u0026ldquo;Setup\u0026rdquo; section of the content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-domain-dns/","summary":"Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.","title":"RMM Domain DNS Queries from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-domain-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Defend","Elastic Endpoint Security","CrowdStrike Falcon","SentinelOne Cloud Funnel","Windows Security Event Logs","winlogbeat"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","windows","wmi"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eWindows Management Instrumentation (WMI) provides a powerful framework for managing Windows systems, but adversaries can abuse its capabilities to establish persistence. By creating WMI event subscriptions, attackers can execute arbitrary code in response to defined system events. This technique involves creating event filters, providers, consumers, and bindings that automatically run malicious code. This can be achieved through tools like \u003ccode\u003ewmic.exe\u003c/code\u003e, which allows the creation of event consumers such as \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e. Successful exploitation of WMI for persistence allows attackers to maintain unauthorized access to a compromised system, even after reboots or other system changes. This activity has been observed across various environments, highlighting the need for robust detection mechanisms to identify and prevent WMI-based persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewmic.exe\u003c/code\u003e to create a WMI event filter that defines a specific event to monitor.\u003c/li\u003e\n\u003cli\u003eA WMI event consumer, such as \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e, is created using \u003ccode\u003ewmic.exe\u003c/code\u003e specifying the malicious code or script to execute when the event occurs.\u003c/li\u003e\n\u003cli\u003eA WMI binding is established between the event filter and the event consumer using \u003ccode\u003ewmic.exe\u003c/code\u003e, linking the event to the action.\u003c/li\u003e\n\u003cli\u003eThe malicious WMI event subscription is activated, monitoring for the defined event.\u003c/li\u003e\n\u003cli\u003eWhen the specified event occurs, the WMI service triggers the execution of the associated malicious code or script through the event consumer.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the system, as the WMI event subscription will re-activate after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform additional malicious activities, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of WMI for persistence can allow an attacker to maintain long-term, unauthorized access to a compromised system. This can result in data theft, system compromise, and further malicious activities. While the exact number of victims is not specified in the source, the broad applicability of this technique means that many Windows systems are potentially at risk. If the attack succeeds, the attacker gains a foothold on the system that is difficult to detect and remove, which can lead to significant operational disruption and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and monitor for \u003ccode\u003ewmic.exe\u003c/code\u003e with command-line arguments related to creating event consumers, specifically \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e, to trigger the Sigma rule \u0026ldquo;Detect Suspicious WMIC Process\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious WMI event subscription creation.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the provided documentation to triage and analyze potential WMI persistence attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs and Sysmon for events related to WMI activity for broader coverage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-persistence/","summary":"Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.","title":"Persistence via WMI Event Subscription","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","defense-evasion","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to the \u003ccode\u003eNullSessionPipe\u003c/code\u003e registry setting in Windows. This setting defines named pipes that can be accessed without authentication, facilitating anonymous connections. Adversaries may exploit this by modifying the registry to enable lateral movement, allowing unauthorized access to network resources. By adding specific pipes to the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key, an attacker can make services accessible without requiring authentication. This rule focuses on flagging modifications that introduce new accessible pipes, which could indicate malicious intent. The targeted configuration is located under \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u003c/code\u003e. The registry key \u003ccode\u003eNullSessionPipes\u003c/code\u003e is of particular interest when its values change.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry, specifically the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\NullSessionPipes\u003c/code\u003e key. They add a new pipe name to this key, which will allow unauthenticated access to that named pipe.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry, potentially using commands like \u003ccode\u003ereg add\u003c/code\u003e or \u003ccode\u003eSet-ItemProperty\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA remote system attempts to connect to the newly accessible named pipe on the compromised system without authenticating.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the now-accessible service or application associated with the named pipe to execute commands or transfer data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this access to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry setting can lead to unauthorized access to sensitive resources and lateral movement within the network. By enabling anonymous access to named pipes, attackers can potentially bypass authentication mechanisms and gain control over critical systems. While the direct number of victims is not specified, the impact can be significant, particularly in organizations where shared resources and services rely on secure authentication protocols.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing to capture changes to the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key. This will allow you to detect unauthorized modifications as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;NullSessionPipe Registry Modification\u0026rdquo; to your SIEM and tune for your environment to identify malicious activity related to named pipe modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific named pipes being added or modified in the registry event details, as detailed in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the legitimacy of existing entries in the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key to identify and remove any unauthorized pipes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-nullsessionpipe-modification/","summary":"Attackers modify the NullSessionPipe registry setting in Windows to enable anonymous access to named pipes, potentially facilitating lateral movement and unauthorized access to network resources.","title":"NullSessionPipe Registry Modification for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-nullsessionpipe-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["low"],"_cs_tags":["lolbin","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers may leverage LOLBINs, signed binaries that are part of the operating system, to perform malicious actions while blending in with legitimate system activity. This technique allows them to evade detection by application allowlists and signature validation. This brief focuses on the abuse of expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to initiate outbound network connections. The LOLBINs are used to execute malicious code, download additional payloads, or establish command and control channels. This activity can be indicative of malware installation, data exfiltration, or other malicious post-exploitation activities. Detection is crucial to identify potentially compromised systems and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a signed LOLBIN, such as \u003ccode\u003eexpand.exe\u003c/code\u003e, \u003ccode\u003eextrac32.exe\u003c/code\u003e, \u003ccode\u003eieexec.exe\u003c/code\u003e, or \u003ccode\u003emakecab.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBIN is used to download or execute a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe executed binary establishes a network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eData exfiltration may occur over the established network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system by scheduling tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging LOLBINs can result in the installation of malware, data theft, or full system compromise. The use of signed binaries makes it more difficult to detect malicious activity, potentially allowing attackers to operate undetected for extended periods. The financial and reputational damage caused by such attacks can be significant. While the risk score is low, the potential for defense evasion justifies monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eNetwork Connection via Signed Binary\u003c/code\u003e to detect suspicious network connections initiated by LOLBINs.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for instances of \u003ccode\u003eexpand.exe\u003c/code\u003e, \u003ccode\u003eextrac32.exe\u003c/code\u003e, \u003ccode\u003eieexec.exe\u003c/code\u003e, and \u003ccode\u003emakecab.exe\u003c/code\u003e using process creation logging.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for outbound connections initiated by these processes, excluding connections to internal networks based on the provided list of private IP ranges.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of LOLBINs making external network connections, correlating with other suspicious activities on the affected host, as detailed in the \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lolbin-network-connection/","summary":"Adversaries can use Living-Off-The-Land Binaries (LOLBINs) such as expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to establish network connections, potentially bypassing security controls and facilitating malicious activities on Windows systems.","title":"LOLBIN Network Connection for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-lolbin-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","dll-hijacking"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of the Windows Side-by-Side (SxS) feature to execute malicious code. Attackers can place a malicious DLL file within an application\u0026rsquo;s local SxS folder (application.exe.local) and trick the Windows module loader into prioritizing it over legitimate system DLLs. This technique, known as DLL hijacking or DLL redirection, allows adversaries to gain arbitrary code execution within the context of the targeted application. This technique may be used to bypass security controls, escalate privileges, or establish persistence. The detection focuses on file events related to DLLs within these specific SxS folders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a legitimate application with an associated SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a malicious DLL file.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL file in the application\u0026rsquo;s SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eA legitimate application attempts to load a DLL.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the malicious DLL in the SxS folder, the Windows module loader prioritizes the attacker\u0026rsquo;s DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is loaded and executed by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution within the context of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution within the targeted application\u0026rsquo;s context. This can result in privilege escalation, data theft, system compromise, or the establishment of persistence mechanisms. While the number of directly affected organizations is unknown, this technique can be used against a wide range of applications on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events for DLL files in \u003ccode\u003eC:\\*\\*.exe.local\\*.dll\u003c/code\u003e and \u003ccode\u003e\\\\Device\\\\HarddiskVolume*\\\\*\\\\*.exe.local\\\\*.dll\u003c/code\u003e using the provided Sigma rule to detect potential malicious DLL planting.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to improve visibility into file creation events, as noted in the \u003ca href=\"https://ela.st/sysmon-event-11-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the DLL creation event and the involved application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-local-sxs-dll-execution/","summary":"This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.","title":"Execution via Local SxS Shared Module","url":"https://feed.craftedsignal.io/briefs/2024-01-03-local-sxs-dll-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["collection","archive","exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify sensitive data and systems of interest.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The attacker gathers sensitive data from various locations on the compromised system or network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArchive Creation:\u003c/strong\u003e The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like \u003ccode\u003e-hp\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e/hp\u003c/code\u003e, or \u003ccode\u003e/p\u003c/code\u003e with \u003ccode\u003erar.exe\u003c/code\u003e or \u003ccode\u003eWinRAR.exe\u003c/code\u003e or \u003ccode\u003e-p*\u003c/code\u003e with \u003ccode\u003e7z.exe\u003c/code\u003e or \u003ccode\u003e7za.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Staging:\u003c/strong\u003e The encrypted archive is moved to a staging location, such as a temporary directory or removable media.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker deletes the archive from the staging location to remove evidence of the activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker\u0026rsquo;s objectives and the nature of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Encrypting Files with WinRar or 7z - CommandLine\u0026rdquo; to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-winrar-7zip-encryption/","summary":"Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.","title":"Detection of Encrypted Archive Creation with WinRAR or 7-Zip","url":"https://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Endgame","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","command-line","unicode","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly employing Unicode modifier letters to obfuscate command-line arguments, thereby bypassing traditional string-based detection mechanisms. This technique involves replacing standard ASCII characters with visually similar Unicode characters, making it difficult for simple pattern-matching rules to identify malicious commands. The obfuscation targets common Windows utilities such as \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ePowerShell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, and others frequently abused in post-exploitation scenarios. Defenders need to implement more sophisticated detection methods that account for Unicode normalization or character range analysis to identify and mitigate this threat. This technique has become more prevalent in the last year as attackers seek to evade common detection strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a command-line utility like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eObfuscation: The command-line arguments are obfuscated by replacing ASCII characters with Unicode modifier letters.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The obfuscation allows the attacker to evade simple string-based detections that would normally flag the command as malicious.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may use the obfuscated command to escalate privileges or gain access to sensitive resources.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence by creating a scheduled task or modifying the registry using obfuscated commands.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker may use the obfuscated command to move laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful command obfuscation can lead to a significant compromise of Windows systems. Attackers can bypass security controls and execute malicious code undetected, potentially leading to data theft, system disruption, or ransomware deployment. The obfuscation makes it harder for security teams to identify and respond to attacks, increasing the dwell time and potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the presence of Unicode modifier letters in command lines (references: Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments for analysis (references: Sysmon setup instructions).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and analyze the raw command lines to identify the true intent of the command (references: Triage and Analysis section of the source).\u003c/li\u003e\n\u003cli\u003eConsider implementing Unicode normalization techniques to remove the obfuscation before analyzing command lines.\u003c/li\u003e\n\u003cli\u003eMonitor the listed processes (\u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, etc.) more closely for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unicode-cmd-obfuscation/","summary":"Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.","title":"Command Obfuscation via Unicode Modifier Letters","url":"https://feed.craftedsignal.io/briefs/2024-01-unicode-cmd-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["psexec","lateral-movement","execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003ePsExec is a legitimate remote administration tool developed by Microsoft as part of the Sysinternals Suite, enabling the execution of commands with both regular and SYSTEM privileges on Windows systems. It functions by executing a service component, \u003ccode\u003ePsexecsvc.exe\u003c/code\u003e, on a remote system, which then runs a specified process and returns the results to the local system. While commonly used by administrators, adversaries frequently abuse PsExec for lateral movement and to execute commands as SYSTEM, effectively disabling defenses and bypassing security protections. This detection identifies instances where the PsExec service component is executed using a custom name, a tactic employed to evade security controls or detections targeting the default PsExec service component name. The rule was last updated on 2026-05-04 and covers Elastic Defend, Windows, M365 Defender, and Crowdstrike data sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network (e.g., via phishing or exploiting a public-facing application).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a renamed version of \u003ccode\u003epsexesvc.exe\u003c/code\u003e to a compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like the standard \u003ccode\u003ePsExec.exe\u003c/code\u003e to initiate a remote connection to a target system.\u003c/li\u003e\n\u003cli\u003ePsExec attempts to copy the renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e to the ADMIN$ share on the target system.\u003c/li\u003e\n\u003cli\u003eThe renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e is executed as a service on the remote host.\u003c/li\u003e\n\u003cli\u003eThe renamed service executes commands specified by the attacker with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe results of the commands are returned to the originating system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command execution for lateral movement, data exfiltration, or further compromise of the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete compromise of the target system and potentially the entire network. By executing commands with SYSTEM privileges, attackers can disable security controls, install malware, steal sensitive data, or move laterally to other critical systems. The use of a renamed PsExec executable demonstrates an attempt to evade detection, increasing the likelihood of a successful breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Execution via Renamed PsExec Executable\u0026rdquo; to your SIEM and tune for your environment to detect the execution of renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e executables.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule promptly, focusing on the commands executed and the target systems involved.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB connections originating from unusual or untrusted systems, which could indicate PsExec usage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-renamed-psexec/","summary":"Detects suspicious PsExec activity where the PsExec service component is executed using a custom name, indicating an attempt to evade detections that look for the default PsExec service component name.","title":"Suspicious Process Execution via Renamed PsExec Executable","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-psexec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","iis","httplogging","appcmd","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers with access to an Internet Information Services (IIS) server, potentially through a webshell or other compromised entry point, may disable HTTP logging as a defense evasion technique. This is typically achieved by using the \u003ccode\u003eappcmd.exe\u003c/code\u003e utility with specific arguments to modify the IIS configuration, preventing the server from recording HTTP requests and responses. Disabling logging makes it significantly harder for defenders to detect malicious activity, trace attacker actions, and perform effective incident response. This activity is a common tactic employed by threat actors to obscure their presence and maintain persistence within a compromised environment, particularly when deploying webshells or conducting lateral movement. This behavior is typically observed post-exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the IIS server, possibly via a webshell or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003eappcmd.exe\u003c/code\u003e to modify the IIS configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eappcmd.exe\u003c/code\u003e command includes arguments to disable HTTP logging, such as \u003ccode\u003e/dontLog*:*True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command targets specific sites, applications, or the entire server depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003cli\u003eIIS configuration files, such as \u003ccode\u003eapplicationHost.config\u003c/code\u003e or \u003ccode\u003eweb.config\u003c/code\u003e, are modified to reflect the changes.\u003c/li\u003e\n\u003cli\u003eHTTP logging is disabled, preventing the server from recording HTTP requests and responses.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious activities, such as deploying webshells, without generating HTTP logs.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistence and evades detection by preventing forensic analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of IIS HTTP logging can severely impair incident response capabilities. Organizations may be unable to detect malicious activity within their web infrastructure, leading to prolonged compromises and increased damage. This technique can be particularly damaging when attackers deploy webshells or conduct lateral movement within the network. Without HTTP logs, tracing attacker actions and identifying compromised systems becomes significantly more challenging. The impact can range from data breaches to system downtime and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;IIS HTTP Logging Disabled via AppCmd\u0026rdquo; to your SIEM to detect when \u003ccode\u003eappcmd.exe\u003c/code\u003e is used to disable HTTP logging.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with Event ID 1 to capture the execution of \u003ccode\u003eappcmd.exe\u003c/code\u003e with the relevant arguments, enabling detection via the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process of \u003ccode\u003eappcmd.exe\u003c/code\u003e and the user account under which it was executed.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to IIS configuration files (\u003ccode\u003eapplicationHost.config\u003c/code\u003e, \u003ccode\u003eweb.config\u003c/code\u003e) to detect unauthorized changes to logging settings.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configuration of IIS HTTP logging to ensure it remains enabled and properly configured.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-iis-http-logging-disabled/","summary":"An attacker with IIS server access can disable HTTP Logging using `appcmd.exe` to evade defenses and prevent forensic analysis, as detected by the execution of `appcmd.exe` with arguments to disable logging.","title":"IIS HTTP Logging Disabled via AppCmd","url":"https://feed.craftedsignal.io/briefs/2024-01-iis-http-logging-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Sysmon","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","persistence","windows","attrib.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can add the \u0026lsquo;hidden\u0026rsquo; attribute to files to hide them from the user in an attempt to evade detection. This technique involves using the \u003ccode\u003eattrib.exe\u003c/code\u003e utility to modify file attributes. By setting the hidden attribute, adversaries can conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it. This tactic is often employed post-compromise to maintain a stealthy presence within the target environment. Detection focuses on monitoring process executions that involve \u003ccode\u003eattrib.exe\u003c/code\u003e with command-line arguments indicating the modification of the hidden attribute. The rule is designed for data generated by Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system through various means such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain the necessary permissions to execute system utilities.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003eattrib.exe\u003c/code\u003e to modify the hidden attribute of a malicious file or directory. For example, \u003ccode\u003eattrib.exe +h C:\\path\\to\\malicious\\file.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConcealment: The malicious file or directory is now hidden from normal directory listings, making it harder for users and administrators to detect.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by hiding malicious scripts or executables in startup directories or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the hidden files to move laterally within the network, potentially using them as part of a larger attack campaign.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this attack includes prolonged attacker presence, increased difficulty in detecting malicious activity, and potential data exfiltration or system compromise. While the risk score is relatively low, the technique contributes to a broader attack chain and can significantly hinder incident response efforts. A successful hiding of artifacts might lead to further compromise, data breaches, or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Adding Hidden File Attribute via Attrib\u0026rdquo; to your SIEM to detect suspicious usage of \u003ccode\u003eattrib.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line monitoring in Windows environments to ensure the Sigma rule can capture relevant events.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and target files to determine if the activity is legitimate.\u003c/li\u003e\n\u003cli\u003eCorrelate detections of \u003ccode\u003eattrib.exe\u003c/code\u003e with other suspicious activities or alerts on the same host.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden attribute.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-attrib-hidden-file/","summary":"Adversaries can use attrib.exe to add the 'hidden' attribute to files to hide them from users and evade detection, which can be detected by monitoring process executions related to attrib.exe.","title":"Adding Hidden File Attribute via Attrib.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-03-attrib-hidden-file/"}],"language":"en","title":"CraftedSignal Threat Feed — Sysmon","version":"https://jsonfeed.org/version/1.1"}