https://feed.craftedsignal.io/products/vmware-tools/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 05 Sep 2024 14:17:05 +0000https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/Thu, 05 Sep 2024 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.The Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.

Attack Chain

1. An attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.
2. The attacker leverages msiexec.exe to create a new scheduled task using the schtasks.exe command, setting it to execute a malicious script or binary.
3. Alternatively, the attacker uses msiexec.exe in conjunction with reg.exe or PowerShell to modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run, adding a pointer to their malicious executable.
4. The created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.
5. The system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.
6. The malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.
7. The attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.

Impact

Successful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.

Recommendation

• Monitor process creation events for msiexec.exe spawning schtasks.exe or reg.exe to create scheduled tasks or modify registry run keys (reference: rules in this brief).
• Implement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.
• Review and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.
• Enable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == “file” and file.path … and event.category == “registry” and registry.path … in the rule query).
• Implement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).

]]>mediumadvisorypersistencedefense-evasionwindowshttps://feed.craftedsignal.io/briefs/2024-01-time-provider-modification/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-time-provider-modification/Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider by modifying registry keys associated with the W32Time service.The Windows Time service (W32Time) synchronizes the system clock with other devices on the network, using time providers implemented as DLL files located in the System32 folder. This architecture can be abused by adversaries to establish persistence by registering and enabling a malicious DLL as a time provider. The W32Time service starts during Windows startup and loads w32time.dll. This technique involves modifying specific registry keys associated with the Time Providers, enabling a malicious DLL to be loaded and executed every time the service starts. This can allow an attacker to maintain persistent access to the system, even after a reboot. The Elastic Security team has identified this persistence method and provided a detection rule to identify such modifications.

Attack Chain

1. The attacker gains initial access to the system through an exploit, phishing, or other means.
2. The attacker obtains administrator privileges on the target system.
3. The attacker crafts or deploys a malicious DLL to be used as a time provider.
4. The attacker modifies the registry to register the malicious DLL as a valid time provider. The registry keys under HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ are targeted.
5. The attacker enables the newly registered time provider.
6. The W32Time service is restarted, or the system is rebooted.
7. The W32Time service loads the malicious DLL, executing the attacker’s code.
8. The attacker maintains persistent access to the compromised system.

Impact

Successful exploitation allows the attacker to achieve persistence on the compromised system. The attacker can execute arbitrary code every time the W32Time service starts. This may lead to further malicious activities, such as data theft, lateral movement, or the installation of additional malware. The impact is significant, as the attacker can maintain long-term control over the system.

Recommendation

• Deploy the Sigma rule Time Provider DLL Registration to detect the registration of new DLL files as Time Providers in the registry.
• Enable Sysmon registry event logging to capture registry modifications, as this is a requirement for the provided Sigma rules.
• Investigate any registry changes to the HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ path, especially those adding new DLLs, using the provided Sigma rule.
• Monitor process execution for msiexec.exe installing DLLs in the Program Files\VMware\VMware Tools directory, which could indicate legitimate activity, but should still be validated.
• Regularly audit and validate the list of registered Time Providers on critical systems.

]]>mediumadvisorypersistenceprivilege-escalationtime-provider