https://feed.craftedsignal.io/products/teams/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 05 Sep 2024 14:17:05 +0000https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/Thu, 05 Sep 2024 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.The Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.

Attack Chain

1. An attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.
2. The attacker leverages msiexec.exe to create a new scheduled task using the schtasks.exe command, setting it to execute a malicious script or binary.
3. Alternatively, the attacker uses msiexec.exe in conjunction with reg.exe or PowerShell to modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run, adding a pointer to their malicious executable.
4. The created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.
5. The system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.
6. The malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.
7. The attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.

Impact

Successful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.

Recommendation

• Monitor process creation events for msiexec.exe spawning schtasks.exe or reg.exe to create scheduled tasks or modify registry run keys (reference: rules in this brief).
• Implement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.
• Review and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.
• Enable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == “file” and file.path … and event.category == “registry” and registry.path … in the rule query).
• Implement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).

]]>mediumadvisorypersistencedefense-evasionwindowshttps://feed.craftedsignal.io/briefs/2024-01-masquerading-communication-apps/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-masquerading-communication-apps/Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications. This involves using names and icons that resemble trusted applications like Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird to trick users and bypass security measures. This technique can be used to conceal malicious activity, bypass allowlists, or trick users into executing malware. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures, which helps in flagging potential threats that mimic trusted communication tools.

Attack Chain

1. An attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.
2. The attacker deploys a malicious executable onto the compromised system.
3. The attacker renames the malicious executable to resemble a legitimate communication application, such as “slack.exe” or “Teams.exe”.
4. The attacker modifies or removes the code signature of the malicious executable to avoid detection based on trusted publishers.
5. The attacker executes the renamed and potentially unsigned malicious executable.
6. The masqueraded process performs malicious actions, such as establishing a reverse shell or downloading additional payloads.
7. The attacker uses the compromised system to move laterally within the network, escalating privileges and compromising additional systems.
8. The final objective is to exfiltrate sensitive data or deploy ransomware.

Impact

Successful masquerading attacks can lead to significant security breaches, including data theft, system compromise, and financial loss. By disguising malicious processes as legitimate communication apps, attackers can bypass security controls and operate undetected for extended periods. This can result in widespread damage and disruption, as well as reputational damage for the targeted organization. The impact can range from a few compromised systems to a complete network takeover, depending on the attacker’s objectives and the effectiveness of the masquerading technique.

Recommendation

• Deploy the Sigma rule “Potential Masquerading as Communication Apps - Generic” to your SIEM and tune for your environment to detect unsigned or improperly signed communication applications.
• Deploy the Sigma rule “Potential Masquerading as Communication Apps - Specific” to your SIEM and tune for your environment to detect unsigned or improperly signed instances of specific communication applications.
• Enable process creation logging on Windows systems to capture the necessary events for the Sigma rules.
• Review and validate the code signatures of all communication apps on your systems to ensure they are properly signed by trusted entities.
• Implement application control policies to restrict the execution of unsigned or untrusted executables.

]]>mediumadvisorydefense-evasionmasqueradingwindowshttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.Attackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim’s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.

Attack Chain

1. The user visits a compromised website or clicks on a malicious advertisement.
2. The user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.
3. The downloaded executable is placed in the user’s Downloads folder (e.g., C:\Users*\Downloads*).
4. The user executes the downloaded file.
5. The executable, lacking a valid code signature, begins execution.
6. The malicious installer may drop and execute additional malware components.
7. The malware establishes persistence, potentially using techniques such as registry key modification.
8. The malware performs malicious activities, such as data exfiltration or lateral movement.

Impact

Successful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.

Recommendation

• Implement the Sigma rule Potential Masquerading as Business App Installer to detect unsigned executables resembling legitimate business applications in download directories.
• Enable process creation logging to capture the execution of unsigned executables.
• Educate users on the risks of downloading and executing files from untrusted sources.
• Implement application whitelisting to restrict the execution of unauthorized applications.
• Regularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.
• Monitor process execution events for processes originating from the Downloads folder that lack valid code signatures.

]]>mediumadvisorymasqueradingdefense-evasioninitial-accessmalwarewindows