{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-defender-advanced-threat-protection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Intune Management Extension","Azure AD Connect Health Agent","Windows Defender Advanced Threat Protection"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently employ PowerShell obfuscation techniques to evade detection and hinder analysis. These techniques involve encoding, encrypting, or compressing PowerShell scripts to mask their true intent. This detection identifies PowerShell script blocks exhibiting high entropy and non-uniform character distributions, statistical characteristics often associated with obfuscated content. The rule specifically targets script blocks longer than 1000 characters with entropy bits \u0026gt;= 5.5 and surprisal standard deviation \u0026gt; 0.7. This detection is designed to highlight potentially malicious PowerShell activity that warrants further investigation by security analysts and incident responders. This rule was created by Elastic and last updated on May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell, a built-in Windows scripting language, to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses obfuscation techniques (encoding, encryption, compression) to disguise the PowerShell script\u0026rsquo;s true intent.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed, bypassing basic signature-based detections.\u003c/li\u003e\n\u003cli\u003eThe script may download and execute additional payloads or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using obfuscated PowerShell can lead to various negative impacts, including data breaches, system compromise, and disruption of services. The low severity reflects the need for further analysis to confirm malicious intent, given potential false positives from legitimate encoded scripts. While the exact number of affected systems and sectors is unknown, the widespread use of PowerShell makes this a potentially significant threat across many organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events (4104) as outlined in the setup instructions: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the thresholds (\u003ccode\u003epowershell.file.script_block_length\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_entropy_bits\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_surprisal_stdev\u003c/code\u003e) based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on execution context (\u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003ehost.name\u003c/code\u003e), script provenance (\u003ccode\u003efile.path\u003c/code\u003e), and reconstructed script content (\u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section for detailed triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:49:36Z","date_published":"2026-05-04T14:49:36Z","id":"/briefs/2026-06-high-entropy-powershell/","summary":"This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.","title":"Potential PowerShell Obfuscated Script via High Entropy","url":"https://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Endpoint Defense","Windows Defender Advanced Threat Protection","Symantec Endpoint Protection","Endpoint Security","AVDefender","Optics","Padvish AV"],"_cs_severities":["high"],"_cs_tags":["credential-access","regback","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Sophos","Microsoft","Trend Micro","Symantec","Bitdefender","N-able Technologies","Cylance","McAfee","Padvish"],"content_html":"\u003cp\u003eThis detection identifies suspicious attempts to access registry backup hives (SAM, SECURITY, and SYSTEM) located in the \u003ccode\u003eRegBack\u003c/code\u003e folder on Windows systems. These hives contain sensitive credential material, making them attractive targets for attackers seeking to compromise system security. The detection logic focuses on file access events, specifically successful file opens, while excluding known benign processes such as \u003ccode\u003etaskhostw.exe\u003c/code\u003e and various AV/EDR solutions (SophosScanCoordinator.exe, MsSense.exe, ccSvcHst.exe, etc.) to minimize false positives. The rule is designed to provide defenders with high-fidelity alerts when unauthorized access to these critical registry hives is detected. The scope includes any Windows system where endpoint file access logging is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, or \u003ccode\u003eSYSTEM\u003c/code\u003e registry hives located in the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a tool or script to open one or more of these registry hives. This could involve using built-in Windows utilities, scripting languages, or custom-developed tools.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully opens the \u003ccode\u003eSAM\u003c/code\u003e and \u003ccode\u003eSYSTEM\u003c/code\u003e hives, they can extract user account credentials, including usernames, password hashes, and other sensitive information. The \u003ccode\u003eSECURITY\u003c/code\u003e hive is also useful.\u003c/li\u003e\n\u003cli\u003eThe attacker may stage the registry hive files by copying them to a different location on the system for further analysis or exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools (e.g., Mimikatz, secretsdump.py) or custom scripts to extract credentials from the staged registry hives.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the extracted credentials to escalate privileges, move laterally within the network, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to gain unauthorized access to critical systems, steal sensitive data, or establish long-term persistence within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to the compromise of user account credentials, enabling attackers to escalate privileges, move laterally within the network, and gain unauthorized access to sensitive data. The impact can range from data breaches and financial losses to reputational damage and disruption of critical business operations. The number of victims can vary depending on the scope of the attacker\u0026rsquo;s activities and the security posture of the targeted organization. Sectors commonly targeted include finance, healthcare, government, and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable file access monitoring for the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory to capture file open events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Hive Access via RegBack\u003c/code\u003e to your SIEM and tune the exclusions based on your environment.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e events for unusual processes accessing files in \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e, using the rule \u003ccode\u003eSuspicious Process Accessing RegBack Hives\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging and file creation to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-02T12:00:00Z","date_published":"2024-07-02T12:00:00Z","id":"/briefs/2024-07-regback-hive-access/","summary":"This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.","title":"Suspicious Registry Hive Access via RegBack","url":"https://feed.craftedsignal.io/briefs/2024-07-regback-hive-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender Advanced Threat Protection"],"_cs_severities":["high"],"_cs_tags":["process injection","powershell","defense evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying PowerShell scripts that combine specific Win32 API calls, often used in process injection and in-memory payload execution techniques. Attackers use PowerShell, a ubiquitous scripting language in Windows environments, to inject malicious code into other processes, bypassing traditional security controls. The rule specifically targets API combinations related to memory allocation (VirtualAlloc, VirtualAllocEx), memory protection (VirtualProtect), process access (OpenProcess), dynamic library loading (LdrLoadDll, LoadLibrary), and thread manipulation (CreateRemoteThread, NtCreateThreadEx). The rule excludes script activity originating from within Microsoft Defender Advanced Threat Protection directories, reducing false positives. This technique is valuable to attackers seeking to evade detection and execute malicious code stealthily. The detection logic is based on observing specific API combinations, commonly seen in tools like Empire.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses \u003ccode\u003eOpenProcess\u003c/code\u003e to gain access to a target process.\u003c/li\u003e\n\u003cli\u003eThe script then uses \u003ccode\u003eVirtualAllocEx\u003c/code\u003e to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWriteProcessMemory\u003c/code\u003e is used to write malicious code into the allocated memory.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eCreateRemoteThread\u003c/code\u003e or \u003ccode\u003eNtCreateThreadEx\u003c/code\u003e to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as credential dumping or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of another process, often a legitimate one. This can lead to credential theft, privilege escalation, data exfiltration, or the deployment of ransomware. The impact is significant, as it allows attackers to bypass security controls and operate stealthily. While the number of victims is unknown, the widespread use of PowerShell makes this a potentially widespread threat. Successful attacks can compromise sensitive data, disrupt business operations, and damage an organization\u0026rsquo;s reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events (4104) for this detection to function as described in the setup instructions \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious PowerShell scripts indicative of process injection. Tune the rules based on your environment\u0026rsquo;s baseline activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the reconstructed script content, target process, and execution context. Refer to the investigation guide section for triage steps.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious API calls related to process injection, as described in the rule\u0026rsquo;s \u003ccode\u003equery\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-24-posh-process-injection/","summary":"This detection identifies PowerShell scripts leveraging Win32 APIs for memory allocation, process access, and thread creation, indicative of potential process injection or in-memory payload execution on Windows systems.","title":"Potential Process Injection via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-24-posh-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows Defender Advanced Threat Protection","SupportAssistAgent","Obkio Agent","SolarWinds Agent","SecuraAgent"],"_cs_severities":["low"],"_cs_tags":["discovery","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Dell","Obkio","SolarWinds","Infraon Corp"],"content_html":"\u003cp\u003eThis detection rule identifies instances where the SYSTEM account is used to execute account discovery utilities, such as \u003ccode\u003ewhoami.exe\u003c/code\u003e and \u003ccode\u003enet1.exe\u003c/code\u003e. This behavior is commonly observed after an attacker has successfully achieved privilege escalation within a Windows environment, or after exploiting a web application. The rule is designed to detect post-exploitation discovery activity where an adversary attempts to gain situational awareness by enumerating accounts and system information using the elevated SYSTEM context. The rule leverages data from Elastic Defend and Sysmon Event ID 1 to identify these behaviors, helping defenders spot potential privilege escalation and lateral movement attempts. The original rule was created 2020/03/18 and updated 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through exploiting a vulnerability in a web application or through phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to the SYSTEM account, possibly by exploiting a local privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e via the SYSTEM account to enumerate user accounts and gather system information.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e process is spawned by a parent process such as a web server process (e.g., w3wp.exe) or a service process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered account information to plan further actions, such as lateral movement or credential theft.\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003enet1.exe\u003c/code\u003e to query domain information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained information to identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is often data exfiltration, deployment of ransomware, or further compromise of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Although this rule has low severity, the execution of discovery commands by the SYSTEM account can be a critical indicator of compromise. Early detection of such activity can prevent more severe damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect account discovery commands executed via the SYSTEM account and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the necessary data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process execution chain to identify the source of the SYSTEM account usage.\u003c/li\u003e\n\u003cli\u003eIf the process tree includes a web-application server process, investigate suspicious file creation or modification to assess for webshell backdoors.\u003c/li\u003e\n\u003cli\u003eReview and harden web application security to prevent initial access and privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-09-system-account-discovery/","summary":"The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.","title":"Account Discovery Command via SYSTEM Account","url":"https://feed.craftedsignal.io/briefs/2024-01-09-system-account-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender Advanced Threat Protection"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging a combination of Base64 encoding and .NET compression techniques (Deflate/GZip) to conceal malicious payloads. Attackers employ this method to bypass security measures by deobfuscating and reconstructing the payload directly in memory. This technique allows adversaries to evade detection mechanisms that rely on static analysis of script content. The rule focuses on identifying script block content exhibiting this behavior, providing defenders with visibility into potential defense evasion attempts within their Windows environments. This rule was last updated on 2026-05-04, and its initial version was created on 2021/10/19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through methods like phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed on the target system, potentially through a compromised user account.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains a Base64 encoded string representing a compressed payload.\u003c/li\u003e\n\u003cli\u003eThe script uses the \u003ccode\u003eFromBase64String\u003c/code\u003e function to decode the Base64 encoded string.\u003c/li\u003e\n\u003cli\u003eThe script decompresses the decoded data using .NET compression classes like \u003ccode\u003eSystem.IO.Compression.DeflateStream\u003c/code\u003e or \u003ccode\u003eSystem.IO.Compression.GzipStream\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe decompressed data reveals a malicious payload, such as a reverse shell or credential theft tool.\u003c/li\u003e\n\u003cli\u003eThe script executes the payload in memory, bypassing traditional file-based detection methods.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining persistent access, stealing data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and deployment of malware such as ransomware. The obfuscation techniques make detection more difficult, increasing the dwell time of attackers within the network. Windows systems are primarily affected. If Windows Defender Advanced Threat Protection is being used, this can evade its protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events for detection (related to the logsource in the rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Suspicious Payload Encoded and Compressed\u0026rdquo; to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on the reconstructed script block content.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor process telemetry for PowerShell instances and their parent processes.\u003c/li\u003e\n\u003cli\u003eRestrict PowerShell execution to trusted administrative paths where feasible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-powershell-compressed-payload/","summary":"Detects PowerShell scripts employing Base64 decoding combined with .NET decompression (Deflate/GZip) to deobfuscate and reconstruct malicious payloads in memory, evading traditional defenses.","title":"PowerShell Suspicious Payload Encoded and Compressed","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-compressed-payload/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Defender Advanced Threat Protection","version":"https://jsonfeed.org/version/1.1"}