{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePass-the-Hash (PtH) is a technique where attackers leverage stolen password hashes to authenticate and move laterally within a Windows environment, bypassing standard system access controls. Instead of needing the plaintext password, adversaries use a hash of the password to authenticate to a remote service or server. This detection rule focuses on identifying potential PtH attempts by monitoring for successful logins using specific user IDs (S-1-5-21-* or S-1-12-1-*) and the \u003ccode\u003eseclogo\u003c/code\u003e logon process, which is commonly associated with credential theft and misuse. The rule aims to detect anomalous authentication patterns indicating that an attacker is using PtH to gain unauthorized access to systems. This is important because successful PtH attacks can lead to widespread compromise of sensitive data and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker dumps password hashes from the compromised system using tools like Mimikatz.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen password hash to authenticate to the target system using the \u003ccode\u003eseclogo\u003c/code\u003e logon process.\u003c/li\u003e\n\u003cli\u003eWindows validates the hash, granting the attacker access without requiring the plaintext password.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates with the stolen credentials and a user ID matching the pattern S-1-5-21-* or S-1-12-1-*.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their unauthorized access to move laterally to other systems or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Pass-the-Hash attacks can lead to significant damage, including unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Organizations can experience financial losses, reputational damage, and operational disruptions. While the specific number of victims is not stated, PtH is a common technique used in many breaches, potentially affecting any organization that relies on Windows authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary Windows Security Event Logs as referenced in the setup instructions \u003ca href=\"https://ela.st/audit-logon\"\u003ehttps://ela.st/audit-logon\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to your SIEM to detect potential Pass-the-Hash attempts. Tune the rule to account for legitimate uses of the \u003ccode\u003eseclogo\u003c/code\u003e logon process.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on correlating the successful authentication events with other security logs to identify any lateral movement or access to sensitive systems.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and permissions for the affected accounts to ensure they adhere to the principle of least privilege after an incident, as detailed in the Response and Remediation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-potential-pth/","summary":"This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.","title":"Potential Pass-the-Hash (PtH) Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-potential-pth/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","rpc","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eKaspersky researchers discovered a critical vulnerability in the Windows Remote Procedure Call (RPC) architecture, dubbed PhantomRPC, that enables local privilege escalation. The flaw allows an attacker to create a rogue RPC server and, by exploiting existing processes with impersonation privileges (such as those running as Local Service or Network Service), elevate their own permissions to SYSTEM. The vulnerability resides in the architectural design of RPC itself, making it potentially exploitable across all Windows versions. The researcher has demonstrated five different exploitation paths escalating privileges from various local or network service contexts. This issue has been disclosed to Microsoft, but a patch has not yet been released. Due to the fundamental nature of the vulnerability, the number of potential attack vectors is effectively unlimited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system with low privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a service running with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e, such as Local Service or Network Service.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious RPC server application designed to exploit the PhantomRPC vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a connection from the target service (e.g., Group Policy Client service) to the attacker\u0026rsquo;s malicious RPC server via ALPC.\u003c/li\u003e\n\u003cli\u003eThe malicious RPC server uses \u003ccode\u003eRpcImpersonateClient\u003c/code\u003e API to impersonate the SYSTEM account.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious RPC server executes code within the security context of the SYSTEM account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform arbitrary actions, such as installing malware, creating new accounts, or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PhantomRPC allows a low-privileged attacker to gain complete control over the affected system by escalating privileges to SYSTEM. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The vulnerability affects all Windows versions and given the number of potential attack vectors, it poses a significant risk to a large number of systems. While the exact number of potential victims remains unknown, the widespread use of RPC in Windows makes this a highly critical issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of suspicious ALPC ports, especially those targeting services with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e. Use the Sigma rule \u003ccode\u003eDetect Suspicious ALPC Port Creation\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor for processes calling the \u003ccode\u003eRpcImpersonateClient\u003c/code\u003e API, especially those originating from unusual or untrusted processes. Use the Sigma rule \u003ccode\u003eDetect RpcImpersonateClient API Call from Unusual Process\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRestrict access to services with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e where possible, limiting the potential attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T08:00:12Z","date_published":"2026-04-24T08:00:12Z","id":"/briefs/2026-04-phantom-rpc-privesc/","summary":"A vulnerability in Windows RPC architecture allows an attacker to create a fake RPC server and escalate their privileges to SYSTEM level, leveraging processes with impersonation privileges.","title":"PhantomRPC: Windows RPC Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-phantom-rpc-privesc/"},{"_cs_actors":["Trigona"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","AnyDesk","Mimikatz","PowerRun"],"_cs_severities":["high"],"_cs_tags":["trigona","ransomware","data exfiltration","custom tool"],"_cs_type":"threat","_cs_vendors":["Microsoft","Nirsoft","AnyDesk"],"content_html":"\u003cp\u003eTrigona ransomware, initially launched in October 2022, has been observed using a custom command-line tool named \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate data from compromised environments. This shift, observed in March 2026, suggests an effort to avoid detection by security solutions that commonly flag publicly available tools like Rclone and MegaSync. Symantec researchers believe this indicates a strategic investment in proprietary malware to maintain a lower profile during critical phases of attacks. The custom tool supports five simultaneous connections per file for faster data exfiltration via parallel uploads, rotates TCP connections after 2GB of traffic to evade monitoring, offers options for selective file type exfiltration, and utilizes an authentication key to restrict access to stolen data. Despite disruptions in October 2023, Trigona has resumed operations, incorporating additional techniques like installing the Huorong Network Security Suite tool HRSword and disabling security products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eInstallation of the Huorong Network Security Suite tool HRSword as a kernel driver service.\u003c/li\u003e\n\u003cli\u003eDeployment of tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd to disable security-related products by leveraging vulnerable kernel drivers to terminate endpoint protection processes.\u003c/li\u003e\n\u003cli\u003eExecution of utilities with PowerRun to launch apps, executables, and scripts with elevated privileges, bypassing user-mode protections.\u003c/li\u003e\n\u003cli\u003eDeployment of AnyDesk for direct remote access to the breached systems.\u003c/li\u003e\n\u003cli\u003eExecution of Mimikatz and Nirsoft utilities for credential theft and password recovery operations.\u003c/li\u003e\n\u003cli\u003eUse of the custom \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate valuable documents such as invoices and PDFs from network drives via parallel uploads, rotating TCP connections to evade monitoring, and using an authentication key to restrict data access.\u003c/li\u003e\n\u003cli\u003eFinal stage involving the deployment of Trigona ransomware, demanding ransom payment in Monero cryptocurrency.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Trigona ransomware attacks result in significant data theft and encryption, disrupting business operations and causing financial losses. The group has demonstrated the capability to resume operations even after suffering disruptions, indicating a persistent threat. Observed data exfiltration has included high-value documents such as invoices and PDFs, demonstrating a targeted approach to data theft. Victims face potential regulatory penalties, reputational damage, and recovery costs associated with restoring systems and data. The number of victims and specific financial impact varies per campaign, but the potential for severe disruption and financial strain is consistent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u0026ldquo;uploader_client.exe\u0026rdquo; with command-line arguments indicative of data exfiltration (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to unusual or hardcoded server addresses used by the \u0026ldquo;uploader_client.exe\u0026rdquo; exfiltration tool (see IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection rules to identify the installation of Huorong Network Security Suite (HRSword) as a kernel driver service and tools like PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.\u003c/li\u003e\n\u003cli\u003eMonitor for processes launched via PowerRun, especially if followed by credential dumping or remote access tool execution.\u003c/li\u003e\n\u003cli\u003eReview AnyDesk usage for unusual connections or after-hours access, as this tool is used for remote access.\u003c/li\u003e\n\u003cli\u003eEnable robust logging for credential access attempts and password recovery activity associated with Mimikatz and Nirsoft tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T19:02:17Z","date_published":"2026-04-23T19:02:17Z","id":"/briefs/2026-05-trigona-custom-exfil/","summary":"Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.","title":"Trigona Ransomware Employing Custom Data Exfiltration Tool","url":"https://feed.craftedsignal.io/briefs/2026-05-trigona-custom-exfil/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","lateral-movement","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePowercat is a PowerShell script that functions similarly to the traditional Netcat utility, allowing for network communication using TCP and UDP. Attackers can use Powercat to establish reverse shells, transfer files, and perform port scanning within a compromised environment. This activity is often employed during post-exploitation phases to maintain access and propagate further into the network. Defenders should be aware of PowerShell scripts invoking Powercat, especially in environments…\u003c/p\u003e\n","date_modified":"2024-11-04T14:27:00Z","date_published":"2024-11-04T14:27:00Z","id":"/briefs/2024-11-powercat-detection/","summary":"Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.","title":"Powercat PowerShell Implementation Detection","url":"https://feed.craftedsignal.io/briefs/2024-11-powercat-detection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","pass-the-hash","ntlm-relay","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts containing artifacts indicative of NTLM relay or pass-the-hash (PtH) attacks. These techniques allow attackers to authenticate to systems without needing plaintext passwords, enabling lateral movement and privilege escalation. The rule focuses on identifying specific byte sequences and strings within PowerShell script blocks that suggest NTLM/SMB negotiation and credential access attempts. This detection helps defenders identify and respond to potential credential theft and abuse within their Windows environments. The rule is based on observed techniques used in various publicly available tools such as Invoke-TheHash, Check-LocalAdminHash, and PoshC2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system. This script could be directly executed or obfuscated to evade initial detection.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script attempts to perform NTLM relay or pass-the-hash attacks by utilizing specific byte sequences related to NTLM/SMB negotiation, such as \u003ccode\u003eNTLMSSPNegotiate\u003c/code\u003e or \u003ccode\u003e0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script may utilize tools like Invoke-WMIExec or Invoke-SMBExec to execute commands on remote systems using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to other systems on the network using the relayed credentials or password hashes.\u003c/li\u003e\n\u003cli\u003eSuccessful authentication allows the attacker to move laterally, accessing sensitive data or escalating privileges on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may deploy additional payloads or establish persistence mechanisms for continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful pass-the-hash or NTLM relay attack can grant an attacker unauthorized access to sensitive systems and data within the network. This can lead to data breaches, financial loss, or disruption of critical services. The impact could range from compromising a few systems to gaining domain administrator privileges, depending on the attacker\u0026rsquo;s goals and the network\u0026rsquo;s security posture. Organizations can experience significant financial and reputational damage due to data breaches and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary data for this detection. Refer to the setup instructions in the rule documentation for configuration details.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting Potential PowerShell Pass-the-Hash/Relay Scripts\u003c/code\u003e to your SIEM and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the scope and impact of the potential attack. Refer to the triage and analysis section in the rule documentation for guidance on investigation steps.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the impact of lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor authentication events (event codes 4624, 4625, 4648) for suspicious activity, such as NTLM authentication from unexpected source IPs or to unusual target systems, as described in the rule\u0026rsquo;s investigation notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-powershell-pth-relay/","summary":"This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.","title":"Detecting Potential PowerShell Pass-the-Hash/Relay Scripts","url":"https://feed.craftedsignal.io/briefs/2024-07-powershell-pth-relay/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.execution","attack.t1047"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage the Windows Management Instrumentation Command-line (WMIC) tool for reconnaissance activities within a network. Specifically, WMIC can be used to query and retrieve information about services running on remote systems. By executing WMIC commands with the \u0026lsquo;service\u0026rsquo; parameter, adversaries can identify the presence and status of specific services, potentially revealing vulnerable or misconfigured systems. This information can then be used to guide further exploitation attempts. WMIC is a built-in Windows utility, making its activity blend with legitimate system administration tasks, increasing the difficulty of detection. This activity is a component of the broader T1047 technique (Windows Management Instrumentation).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes WMIC.exe from the command line.\u003c/li\u003e\n\u003cli\u003eWMIC.exe is invoked with the \u003ccode\u003eservice\u003c/code\u003e parameter to query service information.\u003c/li\u003e\n\u003cli\u003eThe command includes a target IP address or hostname to query a remote system.\u003c/li\u003e\n\u003cli\u003eThe command attempts to retrieve service names and status information (e.g., \u003ccode\u003ewmic /node:\u0026quot;192.168.1.100\u0026quot; service get name, state\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWMIC attempts to connect to the remote host via RPC. An error message is generated if the remote host is unreachable: \u0026ldquo;Node - (provided IP or default) ERROR Description =The RPC server is unavailable\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eIf the target service is not running, a \u0026ldquo;No instance(s) Available\u0026rdquo; message may be displayed.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from WMIC to identify running services of interest for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful service reconnaissance allows attackers to map potential attack vectors within a network. By identifying specific services running on remote systems, attackers can prioritize targets for exploitation based on known vulnerabilities or misconfigurations. This can lead to unauthorized access, data breaches, and system compromise. While the reconnaissance itself does not directly cause harm, it provides crucial information that enables subsequent malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMIC Service Enumeration\u003c/code\u003e to your SIEM to identify potential service reconnaissance attempts via WMIC (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eWMIC.exe\u003c/code\u003e executions containing the \u003ccode\u003eservice\u003c/code\u003e parameter using endpoint detection and response (EDR) solutions (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of WMIC in your environment, as it is a common tool for both legitimate administration and malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wmic-service-recon/","summary":"Adversaries use WMIC.exe to enumerate running services on remote devices, potentially identifying valuable targets or misconfigured systems.","title":"Service Reconnaissance via WMIC.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wmic-service-recon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","execution","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage scripting engines, such as \u003ccode\u003ewscript.exe\u003c/code\u003e and \u003ccode\u003ecscript.exe\u003c/code\u003e, to directly modify the Windows Registry. These scripting engines are often abused for malicious purposes, including establishing persistence, escalating privileges, or disabling security controls. These scripting engines can modify the registry without using standard tools like \u003ccode\u003eregedit.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e, making it harder to detect malicious registry changes. Defenders should be aware of processes using these engines to modify the registry, as this behavior is uncommon in legitimate software installations or administrative tasks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through social engineering or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script (VBScript, JScript) via \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script contains commands to modify specific registry keys, such as the Run key for persistence (T1547.001).\u003c/li\u003e\n\u003cli\u003eThe scripting engine process (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e) directly interacts with the Windows Registry to set the new values.\u003c/li\u003e\n\u003cli\u003eUpon system restart or user logon, the modified registry key triggers the execution of a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence on the compromised system, allowing for continued access and control.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the persistent access to perform lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access on compromised systems, enabling attackers to execute malicious code, steal sensitive information, or disrupt critical services. The registry modifications performed by scripting engines can bypass traditional security measures and make it difficult to detect and remediate the attack. This can result in significant data loss, financial damage, and reputational harm to affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Registry Tampering by Potentially Suspicious Processes\u0026rdquo; to your SIEM to detect suspicious registry modifications made by scripting engines.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Registry Tampering by Potentially Suspicious Processes\u0026rdquo; for unusual or unauthorized registry changes.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for modifications made by processes such as \u003ccode\u003ewscript.exe\u003c/code\u003e and \u003ccode\u003ecscript.exe\u003c/code\u003e (logsource: registry_event).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-susp-reg-mod/","summary":"The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.","title":"Suspicious Registry Modifications by Scripting Engines","url":"https://feed.craftedsignal.io/briefs/2024-01-29-susp-reg-mod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","brute-force","password-spraying","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies potential password guessing or brute force activity against Windows systems. It focuses on detecting a high number of failed network logon attempts originating from a single source IP address within a short time frame. The rule analyzes Windows Security Event Logs, specifically looking for event category \u0026ldquo;authentication\u0026rdquo; and event action \u0026ldquo;logon-failed\u0026rdquo;. By aggregating failed authentication counts within a 60-second window and filtering out common authentication misconfiguration errors, the rule aims to pinpoint suspicious activity indicative of credential access attempts. This is important for defenders as it highlights potential breaches or malicious actors attempting to compromise user accounts via brute-force or password spraying attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates a network connection to a Windows system, likely targeting a service such as SMB or RDP.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate using a list of usernames and passwords or commonly used passwords, generating failed logon attempts (Event ID 4625).\u003c/li\u003e\n\u003cli\u003eThe Windows system logs the failed authentication attempts in the Security Event Log.\u003c/li\u003e\n\u003cli\u003eThe detection rule monitors the Security Event Log for failed logon events (event.category == \u0026ldquo;authentication\u0026rdquo; and event.action == \u0026ldquo;logon-failed\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe rule aggregates the number of failed logon attempts from the same source IP address within a 60-second time window.\u003c/li\u003e\n\u003cli\u003eIf the number of failed attempts exceeds a threshold (e.g., 100) and involves multiple target usernames (Esql.count_distinct_target_user_name \u0026gt;= 2), the rule triggers a detection.\u003c/li\u003e\n\u003cli\u003eThe attacker may continue attempts after initial failures or pivot to successful credentials for lateral movement.\u003c/li\u003e\n\u003cli\u003eSuccessful credential access can lead to privilege escalation, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful brute-force or password spraying attacks can lead to unauthorized access to user accounts and sensitive data. The impact can range from minor inconvenience to significant data breaches and financial losses, depending on the compromised accounts and the data they have access to. The rule aims to reduce the window of opportunity for attackers to gain a foothold in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary Windows Security Event Logs. Follow the setup instructions outlined in the rule documentation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Multiple Logon Failure from the Same Source Address\u0026rdquo; to your SIEM and tune the threshold values (Esql.failed_auth_count and Esql.count_distinct_target_user_name) to minimize false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts by examining the logon failure reason codes and the targeted user names as described in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from the source IP address for any suspicious outbound traffic or lateral movement activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to mitigate the risk of successful brute-force attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-multiple-logon-failure/","summary":"Detection of multiple consecutive logon failures from the same source address within a short time interval on Windows systems, indicating potential brute force or password spraying attacks targeting multiple user accounts.","title":"Multiple Logon Failure from the Same Source Address","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-logon-failure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.persistence","attack.t1547.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can manipulate Windows Registry Classes keys, an autostart extensibility point (ASEP), to achieve persistence. This involves modifying registry entries that control how the operating system handles specific file types or shell actions. By modifying these keys, adversaries can ensure their malicious code executes whenever a user interacts with a specific file type (e.g., opening an .exe) or performs a specific action within the shell. This technique, which has been observed since at least 2019, allows malicious actors to maintain a persistent foothold on compromised systems. While legitimate software also utilizes these registry keys, careful filtering and monitoring are crucial for distinguishing malicious modifications from benign software installations. Detection can be noisy due to the legitimate use of these keys, so tuning and review is critical.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through a separate vector (e.g., phishing, exploit). This stage is not covered by this detection, which focuses on post-exploitation activity.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if needed): The attacker may need elevated privileges to modify certain registry keys. This can involve exploiting vulnerabilities or leveraging existing administrative rights.\u003c/li\u003e\n\u003cli\u003eRegistry Key Modification: The attacker modifies specific keys under \u003ccode\u003e\\Software\\Classes\u003c/code\u003e in the Windows Registry. Common targets include \u003ccode\u003e\\Folder\\ShellEx\\ExtShellFolderViews\u003c/code\u003e, \u003ccode\u003e\\.exe\u003c/code\u003e, and \u003ccode\u003e\\Directory\\Shellex\\DragDropHandlers\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePayload植入：攻击者修改注册表项指向一个恶意可执行文件或脚本。这可能涉及替换默认命令或添加新的处理程序。\u003c/li\u003e\n\u003cli\u003eExecution Trigger: The malicious code is configured to execute when a user interacts with the associated file type or shell action (e.g., opening a .exe file, right-clicking a folder).\u003c/li\u003e\n\u003cli\u003eMalicious Payload Execution: When the configured trigger occurs, the malicious payload executes, giving the attacker control over the system.\u003c/li\u003e\n\u003cli\u003ePersistence Maintained: The modified registry keys ensure that the malicious payload will continue to execute whenever the trigger occurs, maintaining persistence across reboots or user logons.\u003c/li\u003e\n\u003cli\u003eObjective Achieved: The attacker leverages persistent access to achieve their objectives, such as data exfiltration, lateral movement, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems, bypassing traditional security measures. This can lead to significant data breaches, financial losses, and reputational damage. The number of potential victims is broad, as any Windows system is potentially vulnerable. The types of damage possible range from credential theft to ransomware deployment, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing and monitor \u003ccode\u003eregistry_set\u003c/code\u003e events for modifications to keys under \u003ccode\u003e\\Software\\Classes\u003c/code\u003e to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Classes Autorun Keys Modification\u0026rdquo; to your SIEM and tune the filters (filter_main_\u003cem\u003e, filter_optional_\u003c/em\u003e) for your specific environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any registry modifications detected by the Sigma rule, focusing on unusual executables or scripts being launched from these locations.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the filters in the Sigma rule to account for legitimate software changes in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"/briefs/2024-01-28-classes-autorun-keys-modification/","summary":"Adversaries modify Windows Registry Classes keys to establish persistence by executing malicious code when specific file types are opened or actions are performed, potentially leading to privilege escalation and persistent access.","title":"Windows Registry Classes Autorun Keys Modification for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-28-classes-autorun-keys-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["discovery","evasion","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using obfuscated IP addresses (e.g., hexadecimal, octal, or other encoded representations) within download commands to bypass security measures that rely on simple IP address blacklisting or pattern matching. This technique makes it more difficult to identify malicious network connections based on simple string matching. The observed commands include \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e, \u003ccode\u003eInvoke-RestMethod\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003eDownloadFile\u003c/code\u003e, and \u003ccode\u003eDownloadString\u003c/code\u003e. Defenders need to detect these obfuscated IPs to identify and block malicious download attempts. This technique has been observed across various attack campaigns and is a common tactic used to deliver malware while attempting to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command containing an obfuscated IP address. This may involve converting a standard IP address into its hexadecimal, octal, or decimal representation.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes a command-line tool such as \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, or PowerShell\u0026rsquo;s \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e to initiate a download. The command includes the obfuscated IP within a URL.\u003c/li\u003e\n\u003cli\u003eThe command interpreter resolves the obfuscated IP address back to its standard format before initiating the network connection.\u003c/li\u003e\n\u003cli\u003eThe target host establishes a connection to the attacker\u0026rsquo;s server at the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server delivers a malicious payload, such as a script, executable, or document containing macros.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed on the target system, potentially leading to further compromise, such as privilege escalation or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the download and execution of malware, potentially compromising the targeted system. This can result in data breaches, system disruption, or financial loss. The use of obfuscation techniques makes it more difficult to detect and prevent these attacks, increasing the risk of successful compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Obfuscated IP Download Activity\u0026rdquo; to your SIEM to detect the use of obfuscated IP addresses in download commands. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events that match the Sigma rule, paying close attention to the command-line arguments.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional network-based detection mechanisms to identify connections to suspicious IP addresses, even if they are obfuscated.\u003c/li\u003e\n\u003cli\u003eMonitor process creation logs (Sysmon) for processes executing download commands like \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e, \u003ccode\u003eInvoke-RestMethod\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003eDownloadFile\u003c/code\u003e, and \u003ccode\u003eDownloadString\u003c/code\u003e with suspicious arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:29:00Z","date_published":"2024-01-27T18:29:00Z","id":"/briefs/2024-01-obfuscated-ip-download/","summary":"This brief details the use of obfuscated IP addresses within download commands, often employed to evade detection by hiding the true destination of malicious downloads.","title":"Detection of Obfuscated IP Address Usage in Download Commands","url":"https://feed.craftedsignal.io/briefs/2024-01-obfuscated-ip-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","privilege_escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers may configure existing Windows services or create new ones to execute system shells, in order to elevate their privileges from administrator to SYSTEM. This tactic is used to gain SYSTEM permissions and establish persistence. The detection rule focuses on identifying instances where \u003ccode\u003eservices.exe\u003c/code\u003e is the parent process of a command shell (cmd.exe, powershell.exe, pwsh.exe, powershell_ise.exe), indicating that a service is being abused to run a shell. The rule is designed to work with data from Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system with administrator privileges.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a legitimate service or creates a new service to abuse for privilege escalation.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the service configuration to execute a command shell (cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe). This may involve modifying the service\u0026rsquo;s executable path or adding command-line arguments.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s Service Control Manager (SCM) starts the service.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eservices.exe\u003c/code\u003e spawns the configured command shell process.\u003c/li\u003e\n\u003cli\u003eThe command shell executes with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eAttacker uses the SYSTEM shell to perform malicious activities, such as installing malware, accessing sensitive data, or creating new user accounts.\u003c/li\u003e\n\u003cli\u003eThe service continues to run, providing persistent access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to privilege escalation to SYSTEM, granting the attacker complete control over the compromised system. This can result in data theft, malware installation, or further lateral movement within the network. The rule has a risk score of 47 and is categorized as medium severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSystem Shells via Services\u003c/code\u003e to detect the execution of command shells spawned by \u003ccode\u003eservices.exe\u003c/code\u003e within your SIEM environment, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events where \u003ccode\u003eservices.exe\u003c/code\u003e is the parent process of \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, or \u003ccode\u003epowershell_ise.exe\u003c/code\u003e using the investigation guide provided in the content section.\u003c/li\u003e\n\u003cli\u003eReview service creation and modification events in Windows Event Logs (Event IDs 4697 and 7045) for suspicious entries.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed process information.\u003c/li\u003e\n\u003cli\u003eUtilize osquery to retrieve detailed service information to identify potentially malicious services. Reference queries $osquery_0, $osquery_1, and $osquery_2 in the investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-system-shells-via-services/","summary":"Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.","title":"System Shells Launched via Windows Services","url":"https://feed.craftedsignal.io/briefs/2024-01-system-shells-via-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","windows-firewall","mmc"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves the exploitation of a User Account Control (UAC) bypass technique on Windows systems. Attackers leverage the Microsoft Management Console (MMC) and its Windows Firewall snap-in (WF.msc) to execute arbitrary code with elevated privileges. By hijacking this trusted process, malicious actors can circumvent security measures designed to restrict unauthorized access and modifications to the system. This UAC bypass method allows attackers to stealthily execute code, potentially leading to privilege escalation, malware installation, or data exfiltration. The technique is relevant to defenders because it enables attackers to bypass standard security controls, increasing the risk of successful compromise. This activity has been observed in various forms and can be adapted to deliver a range of malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser executes a seemingly benign application or script.\u003c/li\u003e\n\u003cli\u003eThe application triggers the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with the \u003ccode\u003eWF.msc\u003c/code\u003e argument, launching the Windows Firewall snap-in.\u003c/li\u003e\n\u003cli\u003eA malicious process is spawned as a child process of \u003ccode\u003emmc.exe\u003c/code\u003e. This is the key indicator of compromise.\u003c/li\u003e\n\u003cli\u003eThe malicious process exploits a vulnerability or misconfiguration within the MMC snap-in or related components.\u003c/li\u003e\n\u003cli\u003eThe exploited process gains elevated privileges, bypassing UAC restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these elevated privileges to perform malicious actions, such as installing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence through registry modifications or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data exfiltration, system compromise, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful UAC bypass can lead to a significant compromise of the targeted system. Attackers can install persistent backdoors, escalate privileges, and gain control over critical system functions. This can result in data theft, system instability, or complete system takeover. The impact is amplified in environments where UAC is relied upon as a primary security control, potentially affecting a large number of systems across an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via Windows Firewall MMC Snap-In Hijack\u0026rdquo; to your SIEM to detect suspicious processes spawned by \u003ccode\u003emmc.exe\u003c/code\u003e with the \u0026ldquo;WF.msc\u0026rdquo; argument.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected child processes of \u003ccode\u003emmc.exe\u003c/code\u003e using process monitoring tools and tune the Sigma rule accordingly.\u003c/li\u003e\n\u003cli\u003eEnable process auditing and Sysmon event logging (Event ID 1) to capture detailed information about process creations, as specified in the setup instructions of the original rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process chain and the actions performed by the spawned process.\u003c/li\u003e\n\u003cli\u003eRefer to the references provided for more information on UAC bypass techniques and mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-uac-bypass-winfw-mmc/","summary":"Attackers bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in to execute code with elevated permissions, potentially leading to system compromise.","title":"UAC Bypass via Windows Firewall MMC Snap-In Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-winfw-mmc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","privilege-escalation","process-injection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eSvchost.exe (Service Host) is a critical Windows process responsible for hosting various Windows services. Attackers frequently target svchost.exe to disguise malicious activity, using techniques like process injection or file masquerading. By injecting malicious code into a legitimate svchost.exe process or creating a fake svchost.exe executable, attackers can evade detection and escalate privileges. This can be done by spawning the process with unusual arguments to trick the OS or a user. Detecting these anomalies is crucial for identifying potentially compromised systems. The attacks documented leveraging this technique started to gain prominence around 2018 and are still relevant in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable or script to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a legitimate svchost.exe process. Alternatively, the attacker may copy the svchost.exe executable and rename it, placing it in a different directory.\u003c/li\u003e\n\u003cli\u003eThe injected code or masqueraded executable executes with unusual command-line arguments, deviating from the standard \u0026ldquo;-k \u003cservicegroup\u003e\u0026rdquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe malicious svchost process performs unauthorized actions, such as establishing network connections, modifying files, or creating new processes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges of the svchost process to further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by modifying registry keys or scheduling tasks.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, lateral movement, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised svchost.exe processes can lead to significant system instability and data breaches. Attackers may leverage these processes to gain complete control over affected systems, potentially impacting hundreds or thousands of machines in a network. The consequences can include data theft, financial losses, and reputational damage. Ransomware groups, such as BlackByte/Exbyte, and APT groups, like APT41, have been observed using similar techniques to evade detection and achieve their objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Uncommon Svchost Command Line Parameter\u0026rdquo; to your SIEM to detect anomalous svchost.exe processes based on command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine if they are indicative of malicious activity.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically capturing command-line arguments, to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized executables, including masqueraded svchost.exe instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-svchost-uncommon-params/","summary":"Detection of svchost.exe executing with uncommon command-line parameters, excluding known legitimate patterns, which may indicate file masquerading, process injection, or process hollowing.","title":"Uncommon Svchost Command Line Parameters Indicate Potential Masquerading or Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-23-svchost-uncommon-params/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","powershell","ninjacopy"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eInvoke-NinjaCopy is a PowerShell script used to perform direct volume file access, enabling attackers to bypass traditional file access controls. This technique allows reading locked system files, such as the NTDS.dit or registry hives, which are essential for credential dumping. The script, often incorporated into post-exploitation frameworks like Empire, leverages stealth functions to minimize detection. Defenders need to monitor PowerShell script block content for the presence of Invoke-NinjaCopy or related \u0026ldquo;Stealth*\u0026rdquo; functions to identify potential credential access attempts. This activity is typically observed in Windows environments where attackers attempt to escalate privileges or move laterally within a network. The use of NinjaCopy allows attackers to grab sensitive data without being blocked by standard security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a command-line interface.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains the Invoke-NinjaCopy function or related StealthReadFile, StealthOpenFile functions.\u003c/li\u003e\n\u003cli\u003eThe script utilizes the StealthOpenFile function to directly access the volume where the target file resides (e.g., NTDS.dit).\u003c/li\u003e\n\u003cli\u003eStealthReadFile is used to read the contents of the target file, bypassing standard file access controls.\u003c/li\u003e\n\u003cli\u003eThe script copies the contents of the NTDS.dit or registry hives to a temporary location.\u003c/li\u003e\n\u003cli\u003eThe attacker dumps credentials from the copied NTDS.dit file using tools like secretsdump.py or other credential harvesting tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the harvested credentials to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials, granting the attacker access to sensitive information and systems. Credential dumping from NTDS.dit or registry hives can expose user accounts, service accounts, and other privileged credentials. The impact ranges from data breaches and financial losses to complete network compromise and disruption of services. If successful, attackers may gain persistent access and control over critical infrastructure, potentially affecting thousands of users and systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging and monitor event ID 4104 for script content containing \u003ccode\u003eInvoke-NinjaCopy\u003c/code\u003e, \u003ccode\u003eStealthReadFile\u003c/code\u003e, \u003ccode\u003eStealthOpenFile\u003c/code\u003e, \u003ccode\u003eStealthCloseFileDelegate\u003c/code\u003e as described in the Overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Invoke-NinjaCopy script\u0026rdquo; to your SIEM and tune the rule for false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell processes with command-line arguments that contain the identified keywords to identify potential attacker activity as outlined in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls on sensitive files like \u003ccode\u003eNTDS.dit\u003c/code\u003e and registry hives to limit the impact of successful credential access attempts.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies to prevent the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:27:00Z","date_published":"2024-01-09T14:27:00Z","id":"/briefs/2024-01-09-invoke-ninjacopy/","summary":"The Invoke-NinjaCopy PowerShell script is used by attackers to directly access volume files, such as NTDS.dit or registry hives, for credential dumping.","title":"PowerShell Invoke-NinjaCopy Script Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-invoke-ninjacopy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.defense-evasion","attack.t1562.002"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable Windows EventLog autologger sessions by modifying specific registry keys, thus evading detection and preventing security monitoring of early boot activities and system events. The AutoLogger event tracing session records events early in the operating system boot process, allowing applications and device drivers to capture traces before user login. Disabling these sessions can blind security monitoring tools, especially those focused on early boot activity, making it harder to detect malicious activity. This technique allows attackers to operate with less scrutiny during critical phases of system startup, potentially enabling persistence or other malicious objectives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through exploitation of a vulnerability or through stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker targets registry keys under \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eStart\u003c/code\u003e value to disable specific autologger sessions like EventLog-Application or EventLog-System.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u003ccode\u003eEnabled\u003c/code\u003e value to disable specific providers of an autologger session.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the command, changing the registry value to disable the targeted autologger session or provider.\u003c/li\u003e\n\u003cli\u003eThe system no longer records events for the disabled autologger session or provider.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the Windows EventLog autologger can severely impact an organization\u0026rsquo;s ability to detect and respond to threats. Security monitoring tools that rely on these logs will be unable to record early boot activities and system events, leading to a gap in visibility. This can allow attackers to establish persistence mechanisms, escalate privileges, or perform other malicious activities without being detected. The impact could range from undetected malware infections to significant data breaches, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWindows EventLog Autologger Session Registry Modification Via CommandLine\u003c/code\u003e to your SIEM and tune for your environment to detect this behavior in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, or \u003ccode\u003epwsh.exe\u003c/code\u003e with command-line arguments that contain \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e and either \u003ccode\u003eStart\u003c/code\u003e or \u003ccode\u003eEnabled\u003c/code\u003e based on the Sigma rule\u0026rsquo;s detections.\u003c/li\u003e\n\u003cli\u003eImplement Atomic Red Team simulations to validate detections and train security staff.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of registry modifications related to Autologger sessions to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:22:00Z","date_published":"2024-01-09T14:22:00Z","id":"/briefs/2024-01-autologger-disable/","summary":"Adversaries may attempt to disable Windows EventLog autologger sessions via registry modification to evade detection and prevent security monitoring of early boot activities and system events.","title":"Windows EventLog Autologger Session Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-autologger-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","lsass","seclogon","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat leverages the Windows Secondary Logon service (seclogon.dll) to gain unauthorized access to the Local Security Authority Subsystem Service (LSASS) process. The attack involves manipulating the seclogon service to leak an LSASS handle, which can then be used to extract credentials. This technique is often employed as a precursor to credential dumping and lateral movement within a compromised network. The detection focuses on identifying specific call traces to seclogon.dll coupled with suspicious access rights (0x14c0) when accessing LSASS, originating from svchost.exe. Defenders should monitor for this activity as it indicates a potential attempt to compromise sensitive credentials stored within LSASS memory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes code within the context of a user account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Secondary Logon service (seclogon.dll) to request access to LSASS.\u003c/li\u003e\n\u003cli\u003eThe malicious code interacts with the seclogon service to obtain a handle to the LSASS process with specific access rights (0x14c0), typically from a svchost.exe process.\u003c/li\u003e\n\u003cli\u003eThe seclogon service, acting on behalf of the attacker, grants access to LSASS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the leaked LSASS handle to read memory contents.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information, such as user credentials (passwords, NTLM hashes, Kerberos tickets), from the LSASS memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal user credentials, leading to unauthorized access to sensitive systems and data. This can result in data breaches, financial losses, and reputational damage. The compromise of domain administrator credentials can grant the attacker complete control over the entire Windows domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (event ID 1) and process access logging (event ID 10) to detect suspicious LSASS handle access.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Lsass Handle Access via MalSecLogon\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the call trace, access rights, and source process.\u003c/li\u003e\n\u003cli\u003eMonitor authentication events for signs of credential misuse following suspicious LSASS access.\u003c/li\u003e\n\u003cli\u003eReview local administrator and debug-privilege exposure, LSASS protection such as RunAsPPL or Credential Guard where supported, and Secondary Logon service necessity on critical servers\u003c/li\u003e\n\u003cli\u003eBlock the GrantedAccess value \u0026ldquo;0x14c0\u0026rdquo; in conjunction with CallTrace \u0026ldquo;\u003cem\u003eseclogon.dll\u003c/em\u003e\u0026rdquo; when the TargetImage is \u0026ldquo;lsass.exe\u0026rdquo; (Sysmon Event ID 10).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-mal-seclogon-lsass/","summary":"An attacker abuses the Secondary Logon service (seclogon.dll) to gain unauthorized access to the LSASS process, potentially leaking credentials.","title":"Suspicious LSASS Access via Malicious Secondary Logon Service","url":"https://feed.craftedsignal.io/briefs/2024-01-mal-seclogon-lsass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","timestomp","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies attempts to modify the timestamps of executable files within sensitive directories on Windows systems, a technique known as timestomping. Timestomping is employed by adversaries to disguise malicious files as legitimate system components, making them harder to detect. The rule focuses on changes to file creation timestamps in directories like \u003ccode\u003eSystem32\u003c/code\u003e, \u003ccode\u003eSysWOW64\u003c/code\u003e, \u003ccode\u003eProgramData\u003c/code\u003e, and common startup locations. It excludes known legitimate processes to reduce false positives. The goal of this technique is to evade detection and maintain persistence within the compromised system. This behavior is typically associated with post-exploitation activity after initial access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable (e.g., a backdoor or malware dropper) to a location on the filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., PowerShell, built-in Windows utilities) to modify the creation timestamp of the malicious executable.\u003c/li\u003e\n\u003cli\u003eThe timestamp is set to match that of a legitimate system file in the same directory, such as a DLL in \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may then configure persistence for the timestomped executable, such as creating a registry entry in \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious executable remains dormant, blending in with other legitimate files and evading initial detection.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the timestomped executable, either manually or through scheduled tasks, registry entries or other persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended function, such as establishing a reverse shell or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful timestomping can allow attackers to maintain a persistent presence on a compromised system while evading detection by security tools and administrators. This can lead to prolonged data theft, system compromise, and other malicious activities. The technique is often used in conjunction with other evasion methods to further obscure malicious activity. A successful attack could lead to data exfiltration, ransomware deployment, or long-term espionage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 2 (File creation time changed) logging to capture timestomping activity as described in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Timestomp in Executable Files\u0026rdquo; to your SIEM to detect suspicious file timestamp modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes modifying file creation times in sensitive system directories.\u003c/li\u003e\n\u003cli\u003eReview the process ancestry of processes modifying file timestamps to identify potentially malicious parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of files with recently modified timestamps using process creation logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-timestomp/","summary":"This rule identifies potential timestomping behavior on Windows systems where the creation time of executable files in sensitive system directories is modified, potentially to blend malicious executables with legitimate system files and evade detection.","title":"Potential Timestomping of Executable Files on Windows","url":"https://feed.craftedsignal.io/briefs/2024-01-09-timestomp/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Endgame","Kaspersky Security for Windows Server","Desktop Central Agent","SAP NW Setup"],"_cs_severities":["medium"],"_cs_tags":["persistence","app-compat","shim","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SAP","Kaspersky","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can exploit the Windows Application Compatibility Shim functionality to maintain persistence and execute arbitrary code within legitimate Windows processes. This is achieved by installing custom shim databases, which are designed to ensure older applications run smoothly on newer operating systems. By manipulating these databases, attackers can stealthily inject malicious code into trusted processes. The rule detects changes in specific registry paths associated with the installation of these databases, excluding known legitimate processes to minimize false positives. This technique allows for the execution of malicious code without directly modifying the target application\u0026rsquo;s executable, making it difficult to detect with traditional methods.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to create a new entry for a custom shim database. The registry path targeted is typically under \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker writes a malicious \u003ccode\u003e.sdb\u003c/code\u003e file containing the custom shim database to a location on disk.\u003c/li\u003e\n\u003cli\u003eThe registry entry created points to the malicious \u003ccode\u003e.sdb\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eWhen a targeted application is launched, Windows checks the AppCompatFlags registry keys.\u003c/li\u003e\n\u003cli\u003eThe system loads the malicious shim database specified in the registry.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the shim database is executed in the context of the targeted application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, as the malicious shim database is loaded every time the targeted application is run.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to the system, even after reboots or software updates. The injected code runs within the context of a legitimate process, which can evade detection by traditional security tools. This can lead to data theft, system compromise, or further malicious activities, such as lateral movement within the network. The use of application shimming for persistence affects systems running Windows and can impact organizations of any size or sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Custom Shim Database Installation\u003c/code\u003e to your SIEM to identify suspicious registry modifications related to application shimming.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes that are not in the exclusion list.\u003c/li\u003e\n\u003cli\u003eBlock or quarantine any identified malicious \u003ccode\u003e.sdb\u003c/code\u003e files to prevent further execution.\u003c/li\u003e\n\u003cli\u003eReview and update the exclusion list in the Sigma rule with any newly identified legitimate applications that use shim databases, reducing false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-app-compat-shim-persistence/","summary":"Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.","title":"Detection of Custom Shim Database Installation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-09-app-compat-shim-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Intel","IBM"],"content_html":"\u003cp\u003eThis detection identifies process execution from suspicious default Windows directories. Attackers may hide malware in trusted paths to evade defenses, making it difficult for analysts to distinguish between legitimate and malicious activity. The detection focuses on identifying processes running from directories like C:\\PerfLogs, C:\\Users\\Public, and various Windows subdirectories (e.g., C:\\Windows\\Tasks, C:\\Windows\\AppReadiness), where executable files are not typically expected to reside. The detection excludes known legitimate processes like SpeechUXWiz.exe, SystemSettings.exe, TrustedInstaller.exe and other Intel and IBM executables to reduce false positives. This technique is often used to bypass security controls or take advantage of existing exceptions applied to these directories. This activity was observed being used by threat actors in the Siestagraph campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable into a suspicious directory like C:\\Users\\Public or C:\\Windows\\Tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malware from the unusual directory. This might be achieved using \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed malware establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe malware connects to a command-and-control (C2) server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe C2 server instructs the malware to perform reconnaissance on the network.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to move laterally to other systems on the network using techniques like pass-the-hash or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, ransomware deployment, or establishing long-term access to the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, persistence on the system, and further compromise of the network. Attackers can use this technique to bypass security controls and evade detection, potentially leading to data breaches, financial loss, or disruption of services. While the rule itself has a medium severity, the impact of a successful attack using this technique can be severe, depending on the attacker\u0026rsquo;s objectives and the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Process Execution from Unusual Directory\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the process execution is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically Event ID 4688 with command line process auditing, to ensure the Sigma rule has the necessary data to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden permissions on the listed suspicious directories to prevent unauthorized file creation and execution.\u003c/li\u003e\n\u003cli\u003eBlock execution of unsigned or untrusted executables from these directories using application control solutions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-process-execution-from-unusual-directory/","summary":"Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.","title":"Process Execution from Suspicious Windows Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-process-execution-from-unusual-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","dcom","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the abuse of Distributed Component Object Model (DCOM) for lateral movement within a Windows environment. DCOM allows software components to communicate across a network, and attackers may leverage it to execute commands remotely. This rule specifically focuses on the use of ShellBrowserWindow or ShellWindows Application COM objects as the launching point for these remote commands. The technique enables stealthy lateral movement, as it leverages legitimate Windows functionality. This activity is detected by identifying incoming TCP connections on high ports associated with \u003ccode\u003eexplorer.exe\u003c/code\u003e spawning child processes, which are indicative of DCOM abuse. The rule is designed to detect this behavior and alert security teams to potential unauthorized lateral movement attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses DCOM to initiate a connection to a target host.\u003c/li\u003e\n\u003cli\u003eThe DCOM connection is established to the target host via high TCP ports (above 49151).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexplorer.exe\u003c/code\u003e process on the target host receives the DCOM connection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ShellBrowserWindow or ShellWindows COM objects to execute commands.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eexplorer.exe\u003c/code\u003e spawns a child process to execute the attacker-supplied command.\u003c/li\u003e\n\u003cli\u003eThe spawned process performs malicious actions, such as reconnaissance or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the target system, leading to potential data exfiltration, system compromise, and further lateral movement within the network. This can result in significant damage, including data breaches, financial losses, and reputational harm. The DCOM protocol is commonly used in many Windows environments, so this technique could be broadly applicable across many victim organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DCOM Lateral Movement with Explorer.exe\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process creations spawned by explorer.exe.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Event ID 1 (Process Creation) logging to ensure the required data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview network activity for incoming TCP connections to high ports (49151+) associated with \u003ccode\u003eexplorer.exe\u003c/code\u003e, as highlighted in the \u0026ldquo;Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows\u0026rdquo; detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual or unexpected child processes spawned by \u003ccode\u003eexplorer.exe\u003c/code\u003e, as detected by the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-dcom-lateral-movement/","summary":"This analytic identifies the use of Distributed Component Object Model (DCOM) to execute commands on a remote host, specifically when launched via ShellBrowserWindow or ShellWindows Application COM objects, indicating potential lateral movement by an attacker.","title":"DCOM Lateral Movement via ShellWindows/ShellBrowserWindow","url":"https://feed.craftedsignal.io/briefs/2024-01-dcom-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious program executions initiated by scheduled tasks on Windows systems. Adversaries often exploit scheduled tasks for persistence and to execute malicious programs. This rule focuses on detecting known malicious executables, such as PowerShell, Cmd, and MSHTA, when launched from unusual file paths like user directories or temporary folders. It leverages process lineage analysis, specifically looking for processes spawned by \u003ccode\u003esvchost.exe\u003c/code\u003e with the \u0026ldquo;Schedule\u0026rdquo; argument, to determine if the execution originated from a scheduled task. The rule aims to pinpoint potential threats effectively by excluding benign processes and focusing on suspicious combinations of executables and paths. The rule was last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a scheduled task to execute a malicious payload. This task is designed to run at a specific time or event.\u003c/li\u003e\n\u003cli\u003eThe Windows Task Scheduler service (\u003ccode\u003esvchost.exe\u003c/code\u003e with \u0026ldquo;Schedule\u0026rdquo; argument) initiates the scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a suspicious executable, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe suspicious executable is launched from an unusual or suspicious path, such as \u003ccode\u003eC:\\\\Users\\\\\u003c/code\u003e, \u003ccode\u003eC:\\\\ProgramData\\\\\u003c/code\u003e, or \u003ccode\u003eC:\\\\Windows\\\\Temp\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious activities, such as downloading additional malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the scheduled task, allowing for repeated execution of the malicious payload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to the compromised system, execute malicious code, and potentially escalate privileges. This can lead to data theft, system compromise, and further lateral movement within the network. The damage includes potential data exfiltration, malware installation, and disruption of normal system operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect suspicious executions (logs-endpoint.events.process-* and logs-windows.sysmon_operational-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Execution via Scheduled Task\u0026rdquo; to your SIEM to identify potentially malicious processes executed via scheduled tasks. Tune the rule to exclude legitimate software installations or updates (see rule section below).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes with suspicious original file names and command line arguments (process.pe.original_file_name, process.args).\u003c/li\u003e\n\u003cli\u003eMonitor scheduled tasks for unauthorized modifications or additions, as this is a common technique for persistence (registry_set).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-suspicious-scheduled-task-runtime/","summary":"This rule identifies execution of suspicious programs via scheduled tasks by looking at process lineage and command line usage, detecting processes such as cscript.exe, powershell.exe, and cmd.exe when executed from suspicious paths like C:\\Users\\ and C:\\ProgramData\\.","title":"Suspicious Execution via Scheduled Task","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-scheduled-task-runtime/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","duplicatehandle","mirrordump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious attempts to access the Local Security Authority Subsystem Service (LSASS) memory via the DuplicateHandle function on Windows systems. LSASS is a critical process that manages user credentials, making it a prime target for credential dumping attacks. Attackers may use DuplicateHandle to bypass the NtOpenProcess API, which is commonly monitored, to evade detection. The rule focuses on EventCode 10, looking for lsass.exe requesting DuplicateHandle access rights (0x40) where the call trace originates from an unknown executable region (\u003cem\u003eUNKNOWN\u003c/em\u003e). This technique is often associated with tools like MirrorDump.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious program or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious code attempts to open a handle to the LSASS process.\u003c/li\u003e\n\u003cli\u003eInstead of using NtOpenProcess, the attacker leverages the DuplicateHandle function to obtain a handle to LSASS.\u003c/li\u003e\n\u003cli\u003eThe DuplicateHandle call originates from an unknown or suspicious module, as indicated by \u0026ldquo;\u003cem\u003eUNKNOWN\u003c/em\u003e\u0026rdquo; in the call trace.\u003c/li\u003e\n\u003cli\u003eWith a valid handle to LSASS, the attacker dumps the LSASS memory to a file or other location.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the dumped memory to extract sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the compromise of user credentials, including domain administrator accounts. This can give attackers unrestricted access to the entire domain, allowing them to steal sensitive data, install malware, or disrupt critical services. The impact can range from data breaches and financial loss to complete infrastructure compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation and event 10 logging to capture the necessary telemetry for this detection. (Setup instructions: \u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003ehttps://ela.st/sysmon-event-10-setup\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Credential Access via DuplicateHandle in LSASS\u0026rdquo; to your SIEM and tune for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by reviewing the event logs and call trace details to identify suspicious modules or processes.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for LSASS and related processes to detect any future attempts to exploit the DuplicateHandle function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:30:00Z","date_published":"2024-01-03T17:30:00Z","id":"/briefs/2024-01-lsass-dupehandle/","summary":"Detection of suspicious LSASS handle access via DuplicateHandle from an unknown call trace module, indicating a potential attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.","title":"Potential Credential Access via LSASS Handle Duplication","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-dupehandle/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Windows"],"_cs_severities":["low"],"_cs_tags":["discovery","account-discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eAttackers often perform reconnaissance activities within a compromised environment to understand the available resources and potential targets. This reconnaissance helps them plan subsequent actions, such as privilege escalation and lateral movement. This activity involves using built-in Windows utilities like \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e to enumerate administrator-related user accounts and groups. This information can reveal potential targets for credential compromise or other post-exploitation activities. Lower privileged accounts commonly perform this enumeration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e with arguments to list users and groups.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output for administrator-related keywords like \u0026ldquo;admin\u0026rdquo;, \u0026ldquo;Domain Admins\u0026rdquo;, \u0026ldquo;Enterprise Admins\u0026rdquo;, \u0026ldquo;Remote Desktop Users\u0026rdquo;, or \u0026ldquo;Organization Management\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e to query user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from \u003ccode\u003ewmic.exe\u003c/code\u003e to identify administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged accounts to target for credential theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the identified accounts to perform lateral movement or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of administrator accounts allows an attacker to identify high-value targets within the environment. This can lead to credential theft, privilege escalation, lateral movement, and ultimately, unauthorized access to sensitive data or systems. While the risk score is low, this activity serves as a precursor to more serious compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e commands with arguments related to user and group enumeration using the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of lower-privileged accounts executing these commands and filter out authorized administrative accounts performing the same actions.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture the necessary events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:14:00Z","date_published":"2024-01-03T17:14:00Z","id":"/briefs/2024-01-admin-recon/","summary":"Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.","title":"Windows Account Discovery of Administrator Accounts","url":"https://feed.craftedsignal.io/briefs/2024-01-admin-recon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","obfuscation","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eInvoke-Obfuscation is a PowerShell obfuscation framework used to evade detection by security products. Attackers employ this technique to disguise malicious PowerShell code, making it harder to identify through static analysis or signature-based detection. This particular technique involves passing obfuscated PowerShell code via standard input (stdin) to the PowerShell interpreter. This method is often employed during the execution of scripts, where malicious code is dynamically constructed and executed, leaving a reduced footprint on the file system. Defenders should be aware of this technique because it is frequently used by threat actors in conjunction with other tactics to compromise systems and execute malicious payloads. This brief provides actionable detection strategies focused on identifying this specific obfuscation pattern.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through a vulnerability or other means (not covered in this brief).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a small, initial-stage script or binary to the target system.\u003c/li\u003e\n\u003cli\u003eThis script prepares the environment for PowerShell execution, potentially setting environment variables or disabling security features.\u003c/li\u003e\n\u003cli\u003eThe script then calls \u003ccode\u003epowershell.exe\u003c/code\u003e with parameters designed to accept input from stdin.\u003c/li\u003e\n\u003cli\u003eObfuscated PowerShell code generated by Invoke-Obfuscation is piped into the \u003ccode\u003epowershell.exe\u003c/code\u003e process via stdin. This code often contains commands to download, execute, or further obfuscate malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epowershell.exe\u003c/code\u003e process executes the obfuscated code from stdin, bypassing some common detection rules.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated code performs malicious actions such as lateral movement, data exfiltration, or persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data theft, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a full compromise of the targeted system, potentially impacting other systems within the network. Obfuscation makes incident response more difficult, as identifying and analyzing the malicious code requires additional effort. Affected systems could suffer data loss, service disruption, or financial damage. The use of Invoke-Obfuscation also indicates a deliberate attempt to evade security controls, suggesting a sophisticated attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Invoke-Obfuscation Via Stdin\u003c/code\u003e to your SIEM to detect obfuscated PowerShell execution via standard input based on command-line patterns.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows endpoints, ensuring that command-line arguments are captured to facilitate detection of obfuscated commands.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events where \u003ccode\u003epowershell.exe\u003c/code\u003e is executed with parameters that suggest input from stdin along with obfuscated code patterns.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized PowerShell scripts, reducing the attack surface for Invoke-Obfuscation techniques.\u003c/li\u003e\n\u003cli\u003eContinuously update and refine detection rules to adapt to new obfuscation methods and variations of the Invoke-Obfuscation framework.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-invoke-obfuscation-stdin/","summary":"This brief outlines detection strategies for adversaries leveraging Invoke-Obfuscation techniques within PowerShell scripts executed via standard input, a method commonly used to evade traditional detection mechanisms.","title":"Detection of Invoke-Obfuscation via Standard Input","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-stdin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.impact","attack.t1489"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly targeting scheduled tasks to disable critical system functions. This tactic involves using \u003ccode\u003eschtasks.exe\u003c/code\u003e to disable essential tasks related to security, backup, and update mechanisms. By disabling tasks like Windows Defender scans, System Restore points, BitLocker encryption, and Windows Update, adversaries can significantly weaken a system\u0026rsquo;s defenses, making it more vulnerable to data destruction or ransomware attacks. The observed behavior involves the execution of…\u003c/p\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-schtasks-disable/","summary":"Adversaries disable crucial scheduled tasks, such as those related to BitLocker, Windows Defender, System Restore and Windows Update, using schtasks.exe to disrupt services and potentially facilitate data destruction or ransomware deployment.","title":"Adversaries Disabling Important Scheduled Tasks","url":"https://feed.craftedsignal.io/briefs/2024-01-schtasks-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["time-based-evasion","malware","persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of \u003ccode\u003echoice.exe\u003c/code\u003e being used within batch files as a time-delay tactic, a technique notably employed by the SnakeKeylogger malware. The analysis leverages data from Endpoint Detection and Response (EDR) agents, scrutinizing process names and command-line executions. This behavior is significant because it suggests the implementation of time-based evasion techniques designed to circumvent detection mechanisms. Successful evasion could enable attackers to execute malicious code covertly, remove incriminating files, and establish persistent access on compromised systems. The use of \u003ccode\u003echoice.exe\u003c/code\u003e for such purposes warrants immediate investigation by security operations center (SOC) analysts due to the potential for significant system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access via an unknown vector.\u003c/li\u003e\n\u003cli\u003eA batch script is executed on the target system.\u003c/li\u003e\n\u003cli\u003eThe batch script uses \u003ccode\u003echoice.exe\u003c/code\u003e with the \u003ccode\u003e/T\u003c/code\u003e and \u003ccode\u003e/N\u003c/code\u003e parameters to introduce a time delay. The \u003ccode\u003e/T\u003c/code\u003e parameter specifies a timeout period, and the \u003ccode\u003e/N\u003c/code\u003e parameter suppresses the display of choices.\u003c/li\u003e\n\u003cli\u003eThis delay allows the malware to evade time-sensitive detection mechanisms.\u003c/li\u003e\n\u003cli\u003eAfter the delay, the script executes further commands, potentially downloading and executing a payload.\u003c/li\u003e\n\u003cli\u003eThe payload executes, installing a keylogger such as SnakeKeylogger or 0bj3ctivity Stealer.\u003c/li\u003e\n\u003cli\u003eThe keylogger captures sensitive information such as keystrokes and clipboard data.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a remote server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data theft, intellectual property loss, and financial fraud. SnakeKeylogger and similar malware have been used to steal credentials and sensitive information from various targets. Successful exploitation could result in significant financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the attacker\u0026rsquo;s objectives and the compromised systems\u0026rsquo; value.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Choice.exe Time Delay\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003echoice.exe\u003c/code\u003e with time-delay parameters (log source: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003echoice.exe\u003c/code\u003e being used with the \u003ccode\u003e/T\u003c/code\u003e and \u003ccode\u003e/N\u003c/code\u003e parameters to determine if it is part of a malicious script.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted batch scripts to prevent the initial execution of the malicious code.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint activity for suspicious processes and network connections originating from systems where \u003ccode\u003echoice.exe\u003c/code\u003e has been detected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-time-based-evasion-choice/","summary":"Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.","title":"Windows Time-Based Evasion via Choice Exec","url":"https://feed.craftedsignal.io/briefs/2024-01-time-based-evasion-choice/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.defense-evasion","attack.t1562.002"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Event Tracing (ETW) and AutoLogger sessions to evade detection. The AutoLogger session is crucial as it records events early in the operating system boot process, providing security solutions with essential telemetry. This technique involves tampering with registry keys associated with AutoLogger sessions, specifically disabling or stopping them by setting DWORD values to 0. This is done to blind security solutions, preventing them from monitoring early boot activities and critical system events. Disabling these sessions allows adversaries to operate with less scrutiny, making it harder to detect malicious activities during the initial phases of a system compromise. This technique has been observed in attacks involving IcedID and XingLocker ransomware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an as-yet-unspecified method (e.g., exploitation, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker gains administrative privileges on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies AutoLogger sessions to disable, focusing on those relevant to security monitoring, such as \u0026lsquo;\\EventLog-\u0026rsquo; or \u0026lsquo;\\Defender\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to disable the targeted AutoLogger sessions. This involves setting the \u0026lsquo;Enabled\u0026rsquo; or \u0026lsquo;Start\u0026rsquo; DWORD values under the \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\u003c/code\u003e registry key to 0.\u003c/li\u003e\n\u003cli\u003eThe attacker may use tools like \u003ccode\u003ewevtutil.exe\u003c/code\u003e or directly interact with the registry via PowerShell or \u003ccode\u003ecmd.exe\u003c/code\u003e to make these changes.\u003c/li\u003e\n\u003cli\u003eThe security monitoring capabilities reliant on the tampered AutoLogger sessions are effectively impaired or disabled.\u003c/li\u003e\n\u003cli\u003eWith logging impaired, the attacker proceeds with the main objectives, such as lateral movement, data exfiltration, or ransomware deployment, with a reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to compromise the system, steal data, or deploy ransomware, bypassing security measures that rely on early boot and system event logging.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with AutoLogger sessions can significantly reduce the visibility of security solutions, allowing attackers to operate undetected for extended periods. This can lead to delayed incident response, increased dwell time, and greater potential for damage, including data breaches, financial losses, and reputational damage. The sectors most at risk are those heavily reliant on Windows-based systems and proactive security monitoring. The DFIR Report documented a case where adversaries moved from IcedID infection to XingLocker ransomware deployment within 24 hours, highlighting the speed and potential impact of these attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential AutoLogger Sessions Tampering\u003c/code\u003e to your SIEM to detect malicious registry modifications related to AutoLogger sessions.\u003c/li\u003e\n\u003cli\u003eInvestigate any registry modifications under the \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e path, focusing on changes to \u003ccode\u003eEnabled\u003c/code\u003e or \u003ccode\u003eStart\u003c/code\u003e values, as identified in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewevtutil.exe\u003c/code\u003e modifying registry keys related to AutoLogger, as specified in the \u003ccode\u003efilter_main_wevtutil\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003cli\u003eCorrelate registry modification events with process execution events to identify the source of the tampering, paying close attention to processes originating from the Windows Defender platform, as outlined in the \u003ccode\u003efilter_main_defender\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions with robust registry monitoring capabilities to identify and block unauthorized modifications to AutoLogger settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-autologger-tampering/","summary":"Attackers may disable AutoLogger sessions by modifying specific registry values to evade detection and prevent security monitoring of early boot activities and system events, a technique observed in intrusions involving IcedID and XingLocker ransomware.","title":"Windows AutoLogger Session Tampering Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-autologger-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently abuse trusted Windows system binaries and developer utilities to proxy the execution of malicious payloads, effectively bypassing security controls that would otherwise prevent direct execution. This technique, known as \u0026ldquo;System Binary Proxy Execution,\u0026rdquo; allows adversaries to masquerade their activities and blend in with legitimate system processes. This detection identifies network activity from system applications such as \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, and \u003ccode\u003einstallutil.exe\u003c/code\u003e that are not expected to initiate network connections under normal circumstances. The original rule was created in September 2020, and updated in May 2026. The scope of targeting includes any Windows environment where adversaries might attempt to evade detection by proxying malicious activity through trusted system binaries.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious payload onto the system, potentially obfuscated to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a trusted system binary, such as \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, or \u003ccode\u003einstallutil.exe\u003c/code\u003e to execute the payload.\u003c/li\u003e\n\u003cli\u003eThe system binary initiates a network connection, potentially to a command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to download additional tools or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a variety of negative impacts, including data breaches, system compromise, and potential financial losses. The technique is often employed in targeted attacks and can be difficult to detect due to the use of legitimate system binaries. If successful, attackers can maintain persistence, escalate privileges, and move laterally within the network, leading to widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect unusual network activity from Windows system binaries.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of known benign network connections from these binaries to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of untrusted applications.\u003c/li\u003e\n\u003cli\u003eMonitor DNS queries (Sysmon Event ID 22) for suspicious domain resolutions originating from system binaries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-unusual-network-activity-windows/","summary":"Detection of network connections initiated by unusual Windows system binaries, often leveraged by adversaries to proxy execution of malicious code and evade detection, indicating potential defense evasion and command and control activity.","title":"Unusual Network Activity from Windows System Binaries","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-network-activity-windows/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Citrix System32","MSACCESS.EXE","GTInstaller","Elastic Defend","SentinelOne Cloud Funnel","Microsoft Defender XDR","Crowdstrike FDR","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","script-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix","Quokka.Works","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the execution of scripts via HTML applications, leveraging Windows utilities like \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003emshta.exe\u003c/code\u003e. Attackers often use this method to bypass process and signature-based defenses by proxying the execution of malicious content through legitimate, signed binaries. The detection focuses on specific command-line arguments and patterns associated with this technique, while also excluding known legitimate uses by applications such as Citrix System32 (\u003ccode\u003ewfshell.exe\u003c/code\u003e), Microsoft Access (\u003ccode\u003eMSACCESS.EXE\u003c/code\u003e), and Quokka.Works (\u003ccode\u003eGTInstaller.exe\u003c/code\u003e). This technique is used by attackers to execute malicious scripts without directly running them, thus evading traditional security measures. The detection rule analyzes process names, command-line arguments, parent processes, and file paths to identify potentially malicious activity indicative of defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through various means (e.g., phishing, drive-by download).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a malicious HTML application (HTA) file or a scriptlet (SCT) file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the malicious HTA or SCT file. The command line includes obfuscated or encoded script content.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e process spawns a child process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, to execute further commands.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious code, such as downloading and executing a payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement by exploiting vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data exfiltration, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise the system, steal sensitive data, deploy ransomware, or establish a persistent foothold. Due to the nature of the technique, it can bypass many traditional security measures. The wide adoption of Windows and the inherent trust placed in signed binaries makes this a potent evasion technique. Failure to detect and prevent this attack can lead to significant financial and reputational damage for the targeted organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Script Execution via Microsoft HTML Application\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e executions. Tune the rule by adding exceptions for known legitimate uses in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the visibility required for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for suspicious arguments like \u0026ldquo;script:eval\u0026rdquo;, \u0026ldquo;WScript.Shell\u0026rdquo;, and \u0026ldquo;mshta http\u0026rdquo; which are indicative of this technique.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e where they are not required for legitimate business purposes.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any identified malicious HTA files or scriptlet URLs found in the command lines of detected processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-script-execution-via-html-app/","summary":"Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.","title":"Script Execution via Microsoft HTML Application","url":"https://feed.craftedsignal.io/briefs/2024-01-script-execution-via-html-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["execution","script-execution","malware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to execute malicious scripts from suspicious directories or folders accessible by environment variables. This technique leverages script interpreters such as \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, and \u003ccode\u003epowershell.exe\u003c/code\u003e to run scripts from locations like the Temp directory, the Public user folder, or other user profile directories. The use of these locations can help attackers evade detection, as security tools may not thoroughly inspect files executed from these typically benign locations. This activity has been associated with threat actors such as Shuckworm, known to target Ukraine military.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eA malicious script is dropped into a suspicious folder such as \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e, \u003ccode\u003e%TEMP%\u003c/code\u003e, or \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Local\\Temp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e to execute the dropped script. The command line may contain flags to bypass execution policies (e.g., \u003ccode\u003e-ExecutionPolicy bypass\u003c/code\u003e) or hide the window (e.g., \u003ccode\u003e-w hidden\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, PowerShell may be invoked with the \u003ccode\u003e-ep bypass\u003c/code\u003e or \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e flags, along with a command to execute the script located in the temporary folder.\u003c/li\u003e\n\u003cli\u003eThe script executes, performing malicious actions such as downloading additional payloads, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe script may leverage built-in Windows utilities for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of damaging outcomes, including system compromise, data theft, and further propagation of malware within the network. Organizations may experience data breaches, financial losses, and reputational damage. The compromise of systems can also disrupt business operations and require extensive recovery efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eScript Interpreter Execution From Suspicious Folder\u003c/code\u003e to your SIEM to detect suspicious script executions.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events with a focus on script interpreters (\u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) executing from suspicious directories, using the \u003ccode\u003elogsource\u003c/code\u003e and \u003ccode\u003edetection\u003c/code\u003e sections of the Sigma rule as a guide.\u003c/li\u003e\n\u003cli\u003eTune the filters in the Sigma rule based on your environment to reduce false positives, as described in the \u003ccode\u003efalsepositives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and block any observed malicious command lines containing flags like \u003ccode\u003e-ep bypass\u003c/code\u003e, \u003ccode\u003e-ExecutionPolicy bypass\u003c/code\u003e, or \u003ccode\u003e-w hidden\u003c/code\u003e, as detailed in the \u003ccode\u003eselection_proc_flags\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-suspicious-script-execution/","summary":"Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.","title":"Suspicious Script Interpreter Execution from Environment Variable Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using obfuscation techniques to evade detection, specifically leveraging \u003ccode\u003eclip.exe\u003c/code\u003e in conjunction with PowerShell and command-line interpreters. This combination allows for the execution of malicious code while bypassing traditional signature-based detections. This activity often includes encoding and splitting commands to avoid string-based detection. Invoke-Obfuscation is a known framework used to generate these types of payloads. Defenders should focus on detecting the specific patterns of command execution and data manipulation that are characteristic of this technique. The detection of such obfuscated PowerShell commands is crucial for identifying and mitigating potential security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eA command interpreter (cmd.exe) is invoked to execute a complex, obfuscated command.\u003c/li\u003e\n\u003cli\u003eThe command includes \u003ccode\u003eecho\u003c/code\u003e to write data to standard output, piping the output to \u003ccode\u003eclip.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eclip.exe\u003c/code\u003e places the output (part of the malicious PowerShell code) into the clipboard.\u003c/li\u003e\n\u003cli\u003eAnother \u003ccode\u003ecmd.exe\u003c/code\u003e process invokes PowerShell to execute the content retrieved from the clipboard.\u003c/li\u003e\n\u003cli\u003ePowerShell uses reflection to load and execute .NET assemblies from the clipboard.\u003c/li\u003e\n\u003cli\u003eThe executed code performs malicious actions, such as downloading additional payloads or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe clipboard content is cleared to remove traces of the injected code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of obfuscated PowerShell commands can lead to a range of malicious activities, including malware installation, data theft, and remote system control. The use of \u003ccode\u003eclip.exe\u003c/code\u003e and other obfuscation techniques significantly hinders detection efforts, potentially allowing attackers to operate undetected for extended periods. This can result in significant financial losses, data breaches, and reputational damage for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Invoke-Obfuscation Via Use Clip\u0026rdquo; to your SIEM to detect command lines using \u003ccode\u003eclip.exe\u003c/code\u003e and obfuscated PowerShell (see rule details).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for instances of \u003ccode\u003ecmd.exe\u003c/code\u003e invoking \u003ccode\u003eclip.exe\u003c/code\u003e with command lines containing \u003ccode\u003eecho\u003c/code\u003e piped to \u003ccode\u003eclip.exe\u003c/code\u003e (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eInspect PowerShell execution logs for commands that access the clipboard, especially when followed by assembly loading or remote code execution (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-invoke-obfuscation-clip/","summary":"The use of `clip.exe` in conjunction with PowerShell and command-line obfuscation is used to evade detection.","title":"Invoke-Obfuscation via Clip.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-clip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThe detection rule identifies unusual instances of dllhost.exe making outbound network connections, which may indicate adversarial command and control activity. Dllhost.exe is a legitimate Windows process used to host DLL services. Adversaries may exploit it for stealthy command and control by initiating unauthorized network connections to non-local IPs. This approach helps in identifying potential threats by focusing on unusual network behaviors associated with this process. The rule aims to detect activity related to defense evasion, where adversaries use system binaries to proxy execution. The detection logic relies on identifying dllhost.exe processes initiating network connections to destinations outside of commonly used private IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious DLL file on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses dllhost.exe to host and execute the malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL initiates a network connection to an external IP address, bypassing traditional process-based network monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a command and control (C2) channel via the dllhost.exe process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands and receive data from the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the establishment of a covert command and control channel, allowing attackers to remotely control the compromised system. This can result in data theft, further compromise of the network, and potential financial loss. The references point to APT29 activity, suggesting sophisticated actors may leverage this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to enhance visibility of process execution and network activity (\u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003ehttps://ela.st/sysmon-event-1-setup\u003c/a\u003e, \u003ca href=\"https://ela.st/sysmon-event-3-setup\"\u003ehttps://ela.st/sysmon-event-3-setup\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual Network Connection via DllHost\u003c/code\u003e to your SIEM to detect suspicious outbound connections from dllhost.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate and whitelist legitimate software updates or enterprise applications that use dllhost.exe for network communications to reduce false positives, as described in the rule\u0026rsquo;s analysis notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-unusual-dllhost-network-connection/","summary":"The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.","title":"Unusual Network Connection via DllHost","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-dllhost-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","mounted-device","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious execution of script interpreters or signed binaries from mounted devices in Windows environments. Attackers attempt to evade defenses by launching processes from non-standard directories, such as mounted devices. This technique can be employed following initial access via phishing or other means. The focus is on processes spawned by \u003ccode\u003eexplorer.exe\u003c/code\u003e with a working directory on removable drives (D, E, F) and named \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ebitsadmin.exe\u003c/code\u003e, \u003ccode\u003emsiexec.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, or \u003ccode\u003emsbuild.exe\u003c/code\u003e. This behavior is anomalous and indicative of potential malicious activity. The rule originates from Elastic\u0026rsquo;s detection rule set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser unknowingly executes a malicious file (T1204.002) or opens a phishing email leading to drive-by compromise.\u003c/li\u003e\n\u003cli\u003eThe malicious file is downloaded onto the system, potentially onto a mounted device such as a USB drive (D:, E:, or F:).\u003c/li\u003e\n\u003cli\u003eThe user interacts with the mounted device via \u003ccode\u003eexplorer.exe\u003c/code\u003e, inadvertently triggering the execution of a malicious script or binary (TA0002).\u003c/li\u003e\n\u003cli\u003eThe script interpreter (e.g., powershell.exe, cmd.exe) or a signed binary (e.g., mshta.exe, regsvr32.exe) is executed from the mounted device (T1059).\u003c/li\u003e\n\u003cli\u003eThe process inherits the working directory from the mounted device, further masking its origin.\u003c/li\u003e\n\u003cli\u003eThe script or binary performs malicious actions, such as downloading additional malware, establishing persistence, or exfiltrating data (TA0005).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the trusted binary or interpreter to proxy execution of their malicious code (T1127, T1218).\u003c/li\u003e\n\u003cli\u003eThe system is compromised, potentially leading to data theft, ransomware deployment, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can lead to the compromise of Windows systems. Attackers can evade traditional defenses, making detection more challenging. The impact can range from data theft and system compromise to lateral movement and ransomware deployment. Organizations may experience financial loss, reputational damage, and operational disruption if systems are successfully compromised using this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process execution events, including the working directory and parent process, which is essential for activating the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious Execution from Mounted Device\u0026rdquo; Sigma rule to your SIEM to detect potentially malicious processes being launched from unusual locations and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of script interpreters and signed binaries from removable drives to mitigate the risk of this attack.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of executing files from untrusted sources, particularly from removable media, to prevent initial infection (T1204).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-execution-mounted-device/","summary":"Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.","title":"Suspicious Execution from a Mounted Device","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-execution-mounted-device/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","credential-access","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCertUtil is a command-line utility included with Windows, designed for managing digital certificates and certificate services. Attackers frequently abuse it to \u0026ldquo;live off the land\u0026rdquo; by downloading malware, deobfuscating files, and establishing command and control channels within compromised environments. This activity leverages certutil.exe to perform actions typically associated with malicious payloads, blending in with legitimate system activity and evading traditional security measures. The tool\u0026rsquo;s capability to encode, decode, and retrieve files from URLs makes it a versatile asset for attackers aiming to maintain a low profile while executing malicious operations. This detection focuses on identifying specific command-line arguments indicative of this abuse, such as those used for encoding, decoding, and URL retrieval.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access through an undisclosed means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes certutil.exe via cmd.exe or PowerShell.\u003c/li\u003e\n\u003cli\u003eCertutil is used with the \u003ccode\u003eurlcache\u003c/code\u003e parameter to download a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eCertutil uses the \u003ccode\u003edecode\u003c/code\u003e parameter to decode a base64-encoded payload, saving it to disk.\u003c/li\u003e\n\u003cli\u003eThe attacker uses certutil with \u003ccode\u003eencodehex\u003c/code\u003e to encode a binary into a hexadecimal representation to evade signature-based detection.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses certutil with \u003ccode\u003edecodehex\u003c/code\u003e to decode the hexadecimal encoded data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decoded payload, gaining further control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a command and control channel, using certutil to encode/decode communications.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to download and execute arbitrary code, bypass security measures, and maintain persistence within the compromised system. This can lead to data exfiltration, system compromise, and further propagation of the attack within the network. The lack of directly observed IOCs in the originating advisory limits quantification of victim count and impact scope, but the technique is widely applicable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious CertUtil Usage for Encoding/Decoding\u0026rdquo; to detect abuse of encoding/decoding functions within certutil.exe, focusing on unusual file types or destinations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious CertUtil URL Download\u0026rdquo; to identify certutil.exe being used to download files from URLs, and tune the rule based on known good software deployment practices.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure the rules above function correctly by capturing command-line arguments (as referenced in the logsource for each rule).\u003c/li\u003e\n\u003cli\u003eReview historical process execution logs for instances of certutil.exe using suspicious parameters like \u003ccode\u003edecode\u003c/code\u003e, \u003ccode\u003eencode\u003c/code\u003e, \u003ccode\u003eurlcache\u003c/code\u003e, \u003ccode\u003everifyctl\u003c/code\u003e, \u003ccode\u003eencodehex\u003c/code\u003e, \u003ccode\u003edecodehex\u003c/code\u003e, or \u003ccode\u003eexportPFX\u003c/code\u003e to identify potentially compromised systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-certutil/","summary":"Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.","title":"Suspicious CertUtil Commands Used for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-certutil/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Veeam Backup","PDQ Deploy","Pella Order Management","eset-remote-install-service"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Veeam","Admin Arsenal","Pella Corporation","ESET"],"content_html":"\u003cp\u003eThis detection rule identifies a potential lateral movement technique where an attacker establishes a network logon to a Windows system and subsequently installs a service using the same LogonId. This behavior is flagged as suspicious because it deviates from typical administrative practices and can indicate unauthorized access and persistence within the network. The rule is designed to filter out common legitimate services and administrative activities, focusing on anomalies that could signify malicious intent. This detection is crucial for defenders as it can uncover attackers attempting to move laterally and establish persistent access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker performs network reconnaissance to identify target systems for lateral movement.\u003c/li\u003e\n\u003cli\u003eUsing valid credentials or pass-the-hash techniques, the attacker authenticates to a remote Windows host over the network (e.g., SMB).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to install a new service on the remote host, potentially using tools like \u003ccode\u003esc.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe service installation event is logged with a specific LogonId that matches the earlier network logon event, indicating a relationship between the two activities.\u003c/li\u003e\n\u003cli\u003eThe newly installed service is configured to execute a malicious payload or establish a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the service to execute commands or deploy further malicious tools on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and lateral movement within the network, enabling further compromise and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to widespread compromise of systems within a network. Attackers can use the newly installed service to execute arbitrary code, install malware, or move laterally to other systems. This can result in data theft, system disruption, or ransomware deployment. The impact can be significant, potentially affecting numerous systems and causing substantial financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logs with necessary auditing policies, specifically Audit Logon and Audit Security System Extension, to capture relevant logon and service installation events.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious remote service installations based on matching LogonIds from network logons.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on unusual service file paths and user accounts.\u003c/li\u003e\n\u003cli\u003eReview the list of excluded service file paths in the Sigma rules and customize them based on your environment\u0026rsquo;s known legitimate services.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for suspicious SMB activity, particularly connections originating from unusual or untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to reduce the risk of credential theft and unauthorized network access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-service-install/","summary":"This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.","title":"Detecting Remote Windows Service Installation for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","fsutil","usn journal"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can use the \u003ccode\u003efsutil.exe\u003c/code\u003e utility to delete the volume USN Journal in Windows. The USN Journal tracks changes made to files and directories on a disk volume, including metadata for file creation, deletion, modification, and permission changes. Deleting this journal can hinder forensic analysis by removing evidence of file operations. This technique is used to cover tracks and evade detection after an initial compromise. This activity is often observed during the post-exploitation phase of an attack, where adversaries attempt to remove traces of their presence and actions on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003efsutil.exe\u003c/code\u003e via command line.\u003c/li\u003e\n\u003cli\u003eThe command \u003ccode\u003efsutil usn deletejournal /D [volume]\u003c/code\u003e is used to delete the USN Journal on the specified volume.\u003c/li\u003e\n\u003cli\u003eThe operating system processes the command, removing the USN Journal.\u003c/li\u003e\n\u003cli\u003eSubsequent file system activity is no longer recorded in the USN Journal.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further actions on the system, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eForensic analysis is hampered due to the missing USN Journal entries.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the USN Journal impairs forensic investigations and incident response efforts. Without the USN Journal, analysts may struggle to determine the full scope of an intrusion, including files created, modified, or deleted by the attacker. This can lead to incomplete remediation and a higher risk of reinfection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect USN Journal Deletion via Fsutil\u0026rdquo; to your SIEM to identify this specific behavior.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003efsutil.exe\u003c/code\u003e with arguments related to \u0026ldquo;deletejournal\u0026rdquo; and \u0026ldquo;usn\u0026rdquo; to detect potential attempts to delete the USN Journal.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of \u003ccode\u003efsutil.exe\u003c/code\u003e with the relevant arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-usn-journal-deletion/","summary":"Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.","title":"Windows USN Journal Deletion via Fsutil","url":"https://feed.craftedsignal.io/briefs/2024-01-usn-journal-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["impact","t1490","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable the Windows System Restore feature to prevent victims from easily reverting their systems to a clean state after an infection or other malicious activity. This action complicates incident response and remediation efforts, forcing more complex and time-consuming recovery procedures. Disabling system restore is often performed post-compromise to ensure persistence and hinder forensic analysis. This technique can be implemented manually through the registry editor or via automated scripts, making it accessible to a wide range of threat actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through various methods (e.g., phishing, exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to Administrator or SYSTEM.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker targets the \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker targets the \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the value of the targeted registry key to \u003ccode\u003eDWORD:00000001\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the System Restore feature is disabled.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, knowing that recovery is hindered.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling System Restore can significantly impede recovery efforts following a cyber incident. Organizations may face longer downtimes and increased costs associated with manual system reimaging or advanced forensic analysis. The absence of readily available restore points can also lead to data loss if systems are severely damaged or encrypted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Disable System Restore\u003c/code\u003e to your SIEM to detect malicious attempts to disable System Restore via registry modification.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications related to System Restore configurations, focusing on the keys \u003ccode\u003e\\Policies\\Microsoft\\Windows NT\\SystemRestore\u003c/code\u003e and \u003ccode\u003e\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\u003c/code\u003e, and values set to \u003ccode\u003eDWORD (0x00000001)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to prevent unauthorized modification of registry settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-disable-system-restore/","summary":"Attackers disable Windows System Restore by modifying specific registry keys to hinder recovery efforts after malicious activity.","title":"Windows System Restore Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-disable-system-restore/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe legacy Windows AT command allows scheduling tasks for execution. While deprecated since Windows 8 and Windows Server 2012, it remains present for backwards compatibility. Attackers may enable the AT command through registry modifications to achieve persistence or lateral movement within a network. This technique bypasses modern security controls and can be difficult to detect without specific monitoring. The detection rule monitors registry changes enabling this command, flagging potential misuse by checking specific registry paths and values indicative of enabling the AT command. The use of this command allows an attacker to execute commands with elevated privileges, potentially compromising the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enable the AT command by modifying the registry.\u003c/li\u003e\n\u003cli\u003eThe registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e is modified to a value of \u0026ldquo;1\u0026rdquo; or \u0026ldquo;0x00000001\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AT command to schedule a malicious task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a command or script, such as downloading and executing malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eEnabling the AT command can lead to unauthorized task scheduling, malware execution, persistence, and lateral movement within a network. Successful exploitation can compromise sensitive data, disrupt operations, and grant attackers persistent access to critical systems. The use of a deprecated command makes it harder to detect, increasing the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry events for modifications to \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e as described in the rule overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and registry event logging to activate the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-at-command-enabled/","summary":"Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.","title":"Windows Scheduled Tasks AT Command Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-at-command-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies first-time modifications to scheduled tasks by non-system users on Windows systems. Adversaries frequently abuse scheduled tasks to achieve persistence by modifying existing tasks or creating new ones that execute malicious code at recurring intervals. This rule focuses on detecting unauthorized changes to existing tasks by filtering out known system accounts (SYSTEM, Local Service, Network Service) and machine accounts, thereby highlighting potentially suspicious user activity. The rule leverages Windows Security Event Logs (event code 4702) to monitor task modifications. The goal is to aid in the early detection of threats where attackers are attempting to establish persistence on a compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing scheduled tasks on the system using tools like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell cmdlets.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a suitable scheduled task to modify for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the task\u0026rsquo;s settings, such as the trigger time, the executable to run, or the arguments passed to the executable. This modification is logged as event ID 4702.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is updated using \u003ccode\u003eschtasks.exe /change\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ScheduledTask\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task executes at the specified time, launching the attacker\u0026rsquo;s malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes a reverse shell to the attacker\u0026rsquo;s command and control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the reverse shell to perform further actions on the compromised system, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the modification of scheduled tasks can lead to persistent access to a compromised system. The attacker can use this access to steal sensitive data, install malware, or perform other malicious activities. While this rule is low severity, it can uncover attackers attempting to persist in a network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the required Windows Security Event Logs (event ID 4702) as described in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect unusual scheduled task updates.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine if the scheduled task modification is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eReview the references provided to understand the underlying event IDs and attacker techniques related to scheduled tasks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-scheduled-task-update/","summary":"This rule detects modifications to scheduled tasks by user accounts, excluding system activity and machine accounts, which adversaries can exploit for persistence by modifying them to execute malicious code.","title":"Unusual Scheduled Task Update","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-scheduled-task-update/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies unusual modifications to less commonly altered registry keys, which may indicate stealthy persistence attempts on Windows systems. Adversaries exploit registry keys for persistence, ensuring malicious code executes on startup or during specific events. The rule filters out benign changes by excluding known legitimate processes and paths, focusing on suspicious alterations. The rule focuses on changes to registry keys such as \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\u003c/code\u003e and \u003ccode\u003eHKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\u003c/code\u003e. This rule is designed for data generated by Elastic Defend and also supports third-party data sources such as Sysmon. The rule was last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the system, potentially using a dropper or exploit.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies uncommon registry keys suitable for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key to point to a malicious executable or script. This may involve adding a new entry or modifying an existing one.\u003c/li\u003e\n\u003cli\u003eThe system restarts, or the user logs in, triggering the execution of the malicious code through the modified registry key.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes with the privileges of the user or system, depending on the registry key modified.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, allowing them to maintain access to the system even after restarts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities such as data exfiltration, lateral movement, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to persistent access to the compromised system, allowing the attacker to maintain control and execute malicious activities. This can lead to data theft, system disruption, or further compromise of the network. The impact can range from a single workstation being compromised to a widespread enterprise-level breach, depending on the attacker\u0026rsquo;s objectives and the scope of the initial compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Uncommon Registry Persistence Change\u0026rdquo; Sigma rule to your SIEM to detect modifications to uncommon registry persistence keys and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the visibility required for the Sigma rule to function effectively (see references).\u003c/li\u003e\n\u003cli\u003eReview and tune the filter conditions in the Sigma rule to reduce false positives, specifically excluding legitimate software installations, system maintenance processes, and administrative scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the registry modification and correlating it with other suspicious activities.\u003c/li\u003e\n\u003cli\u003eBlock execution of known malicious executables and scripts identified during the investigation to prevent further compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-uncommon-registry-persistence/","summary":"This rule detects changes to uncommon registry persistence keys on Windows systems that are not commonly used or modified by legitimate programs, which could indicate an adversary's attempt to persist in a stealthy manner by modifying registry keys for persistence, ensuring malicious code executes on startup or during specific events.","title":"Uncommon Registry Persistence Change Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-uncommon-registry-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame","Sysmon","Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious usage of \u003ccode\u003escrobj.dll\u003c/code\u003e, a legitimate Windows library, when loaded into unusual Microsoft processes. Attackers may exploit \u003ccode\u003escrobj.dll\u003c/code\u003e to execute malicious scriptlets within trusted processes, thereby evading detection. This technique allows adversaries to proxy execution through trusted system binaries. The rule focuses on detecting anomalous activity by excluding common executables, and flagging only non-standard processes loading \u003ccode\u003escrobj.dll\u003c/code\u003e. The detection logic is based on identifying image load events where \u003ccode\u003escrobj.dll\u003c/code\u003e is loaded into unexpected processes, indicating a potential misuse of the library. The rule is designed for data generated by Elastic Defend, Elastic Endgame, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or deploys a malicious scriptlet designed to execute malicious commands or payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a non-standard or less common Microsoft process to load \u003ccode\u003escrobj.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escrobj.dll\u003c/code\u003e is loaded into the target process, enabling the execution of scriptlets.\u003c/li\u003e\n\u003cli\u003eThe malicious scriptlet executes within the context of the trusted Microsoft process, bypassing application whitelisting or other security controls.\u003c/li\u003e\n\u003cli\u003eThe scriptlet performs malicious actions, such as downloading additional payloads, modifying system configurations, or establishing command and control communication.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as data exfiltration, lateral movement, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially leading to full system compromise. This could result in data theft, system corruption, or further propagation of the attack within the network. The impact is significant because it allows malware to operate under the guise of legitimate system processes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Scrobj.dll Image Load\u003c/code\u003e to your SIEM to detect this activity (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eSuspicious Scrobj.dll Image Load\u003c/code\u003e to determine the legitimacy of the \u003ccode\u003escrobj.dll\u003c/code\u003e loading activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on processes identified in the detection rule.\u003c/li\u003e\n\u003cli\u003eContinuously audit scheduled tasks and exclude known safe processes from the detection rule to minimize false positives, as described in the rule\u0026rsquo;s Triage and Analysis section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-scrobj-load/","summary":"Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.","title":"Suspicious Script Object Execution via scrobj.dll","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-scrobj-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.execution","attack.t1059"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often leverage script interpreters like cscript.exe, wscript.exe, mshta.exe, and powershell.exe to execute malicious code. This activity becomes more suspicious when these interpreters are launched from directories referenced by environment variables commonly associated with temporary storage, such as %TEMP%, %PUBLIC%, or within user profile directories like Favorites or Contacts. This behavior is often indicative of malware attempting to evade detection by residing in locations less scrutinized by security tools. Such techniques are employed to execute malicious scripts downloaded from the internet or dropped by other malware components. This behavior has been linked to threat actors such as Shuckworm, known for targeting Ukraine with military-themed lures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user downloads a malicious file (e.g., a document or executable) from the internet or receives it via email.\u003c/li\u003e\n\u003cli\u003eThe malicious file, upon execution, drops a script file (e.g., VBScript, JavaScript, PowerShell script) into a temporary directory like C:\\Users\\Public\\ or C:\\Users\u0026lt;username\u0026gt;\\AppData\\Local\\Temp.\u003c/li\u003e\n\u003cli\u003eThe dropped script uses obfuscation and/or encoding techniques to avoid static analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script interpreter (cscript.exe, wscript.exe, mshta.exe, powershell.exe) to run the malicious script from the temporary directory. The command line often includes bypass flags such as \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e or \u003ccode\u003e-w hidden\u003c/code\u003e to evade security controls.\u003c/li\u003e\n\u003cli\u003eThe script interpreter executes the malicious code, which may involve downloading additional payloads, establishing persistence, or performing lateral movement.\u003c/li\u003e\n\u003cli\u003eThe malicious script may modify registry keys to establish persistence by adding a run key or scheduled task.\u003c/li\u003e\n\u003cli\u003eThe script may attempt to connect to command-and-control (C2) servers to receive further instructions and exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective may include data theft, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, system compromise, and data exfiltration. Depending on the attacker\u0026rsquo;s objectives, the impact can range from data theft to full system control and ransomware deployment. The exploitation of scripting engines can bypass application control policies and other security measures, leading to widespread infection and significant disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Script Interpreter Execution From Suspicious Folder\u0026rdquo; to your SIEM to detect suspicious script execution from temporary directories.\u003c/li\u003e\n\u003cli\u003eReview and tune the filters in the Sigma rule for your environment to reduce false positives, especially related to software installation processes.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution policies and restrict script execution to signed scripts only to prevent the execution of unsigned malicious scripts.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of script interpreters from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-susp-script-exec/","summary":"Adversaries may execute script interpreters such as cscript, wscript, mshta, or powershell from suspicious directories accessible via environment variables to evade detection and execute malicious scripts.","title":"Suspicious Script Interpreter Execution from Environment Variable Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-susp-script-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["execution","defense evasion","windows","regsvr32"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse native Windows registration utilities such as \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003eRegAsm.exe\u003c/code\u003e, and \u003ccode\u003eRegSvcs.exe\u003c/code\u003e to execute malicious code and bypass security controls. These utilities are often used to register and unregister COM objects and .NET assemblies, but can also be leveraged to download and execute arbitrary scripts from remote locations. The behavior is commonly seen in post-exploitation scenarios. This activity can be used to bypass application allow lists and evade defenses. This behavior has been observed across multiple threat actors and attack campaigns, making it a reliable indicator of suspicious or malicious activity. This detection focuses on the network connection initiated by these utilities, highlighting potential misuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a registration utility (e.g., \u003ccode\u003eregsvr32.exe\u003c/code\u003e) to execute a malicious script or download a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe registration utility makes an outbound network connection to a malicious server to download the payload.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance on the compromised system to gather information about the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network, leveraging the compromised system as a pivot point.\u003c/li\u003e\n\u003cli\u003eThe attacker installs persistence mechanisms to maintain access to the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware, depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive data, or disrupt business operations. The affected systems can be used as a beachhead for further attacks on the internal network, potentially leading to widespread compromise. The use of signed Microsoft binaries makes detection more challenging, as these tools are often trusted by default. While the risk_score is low at 21 and severity low, this is often related to initial access and could lead to high impact down the line.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to ensure visibility into the execution of registration utilities and their network activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious network connections initiated by \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003eRegAsm.exe\u003c/code\u003e, and \u003ccode\u003eRegSvcs.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the command-line arguments used and the destination IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised system, restricting lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected registry modifications associated with the execution of registration utilities, as these can indicate persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and update application allow lists to ensure that only authorized uses of registration utilities are permitted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-regsvr-network-connection/","summary":"The native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection may indicate an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.","title":"Suspicious Network Connection via Registration Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-regsvr-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lolbin","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often copy legitimate operating system binaries (LOLBINs) from standard system directories to evade detection. This technique involves using command-line tools like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003erobocopy.exe\u003c/code\u003e, or \u003ccode\u003excopy.exe\u003c/code\u003e to move these binaries to different locations on the disk, frequently with modified names. By relocating and renaming LOLBINs, threat actors attempt to bypass security measures that rely on file path or filename-based detection. This technique has been observed in various attack campaigns, including those involving malware delivery and ransomware deployment. This behavior aims to execute malicious operations under the guise of legitimate system processes, complicating forensic analysis and incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an undisclosed method (e.g., exploitation, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker gains command execution on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to initiate a copy operation.\u003c/li\u003e\n\u003cli\u003eThe command line includes the \u003ccode\u003ecopy\u003c/code\u003e command, \u003ccode\u003ecopy-item\u003c/code\u003e, \u003ccode\u003ecp\u003c/code\u003e, or \u003ccode\u003ecpi\u003c/code\u003e to copy a file.\u003c/li\u003e\n\u003cli\u003eThe source file is located within a Windows system directory such as \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e, \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e, or \u003ccode\u003eC:\\\\Windows\\\\WinSxS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe destination directory is outside the standard system directories.\u003c/li\u003e\n\u003cli\u003eThe copied binary is then executed from the new location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the LOLBIN to perform further malicious actions, such as downloading payloads or executing arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack allows threat actors to evade traditional security detections by using renamed and relocated LOLBINs. This can lead to the successful execution of malicious payloads, potentially resulting in data theft, system compromise, or ransomware deployment. The impact can range from localized infections to domain-wide ransomware attacks, depending on the attacker\u0026rsquo;s objectives and the scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Copy From or To System Directory\u0026rdquo; to your SIEM to detect this behavior and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eprocess_creation\u003c/code\u003e events where \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e is used to copy files from system directories as indicated by the rule and the details in the Attack Chain section.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of LOLBINs such as \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003erobocopy.exe\u003c/code\u003e, and \u003ccode\u003excopy.exe\u003c/code\u003e from non-standard locations.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or relocated binaries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-susp-copy-system-dir/","summary":"This threat involves the suspicious copying of files from or to Windows system directories (System32, SysWOW64, WinSxS) using command-line tools, often employed by attackers to relocate LOLBINs for defense evasion.","title":"Suspicious Copy from or to System Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-03-susp-copy-system-dir/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.execution","attack.t1047","attack.defense-evasion","attack.t1562.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage WMIC, a legitimate Windows command-line utility, to modify the startup type of services. This tactic is often used to disable security products or critical system services, hindering incident response or creating system instability. By setting services to \u0026ldquo;Manual\u0026rdquo; or \u0026ldquo;Disabled\u0026rdquo;, adversaries ensure that these services do not automatically start upon system boot, achieving persistence or impeding detection. While WMIC is a built-in tool, its use for modifying service startup types is often indicative of malicious activity, especially when performed on security-related services. This activity may be part of a larger attack chain aimed at deploying ransomware, exfiltrating data, or establishing a persistent presence on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing, exploiting a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e with specific command-line arguments to interact with Windows services.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservice\u003c/code\u003e alias is invoked within WMIC to target specific services.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eChangeStartMode\u003c/code\u003e method is used to modify the startup type of the targeted service.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the startup type to either \u003ccode\u003eManual\u003c/code\u003e or \u003ccode\u003eDisabled\u003c/code\u003e, preventing the service from automatically starting on subsequent reboots.\u003c/li\u003e\n\u003cli\u003eIf the targeted service is a security product, this action effectively disables the defense mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, such as deploying malware or exfiltrating sensitive data, with reduced resistance.\u003c/li\u003e\n\u003cli\u003eThe compromised system experiences degraded security posture and potential operational disruptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of service startup types can severely impact system security and availability. Disabling security software can lead to undetected malware infections and data breaches. Disabling critical system services can cause system instability, data loss, or complete system failure. While the exact number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting organizations of any size and in any sector. The impact ranges from minor operational disruptions to significant financial losses due to data breaches and ransomware attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003ewmic.exe\u003c/code\u003e process creations that attempt to change service startup types.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ewmic.exe\u003c/code\u003e is used to modify service startup types, especially when the targeted services are related to security or critical system functions.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions to provide enhanced visibility into process execution and system modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit service configurations to identify unauthorized changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmic-service-startup-change/","summary":"Adversaries use the Windows Management Instrumentation Command-line (WMIC) utility to modify the startup type of services, setting them to 'Manual' or 'Disabled' to impair defenses or disrupt system operations.","title":"Service Startup Type Modification via WMIC","url":"https://feed.craftedsignal.io/briefs/2024-01-wmic-service-startup-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","token-manipulation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies processes running under non-SYSTEM accounts that enable the SeDebugPrivilege. This privilege, typically reserved for system-level tasks, allows a process to debug and modify other processes. Adversaries may enable SeDebugPrivilege to escalate their privileges and bypass access controls, potentially gaining unauthorized access to sensitive data or system resources. The rule aims to detect suspicious processes enabling this privilege, excluding known legitimate processes, to flag potential privilege escalation attempts. This rule was last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious process on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to enable the SeDebugPrivilege.\u003c/li\u003e\n\u003cli\u003eWindows Security Auditing logs a \u0026ldquo;Token Right Adjusted Events\u0026rdquo; event, indicating that a process has enabled SeDebugPrivilege.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the event, filtering out known legitimate processes that may legitimately enable this privilege (e.g., msiexec.exe, taskhostw.exe).\u003c/li\u003e\n\u003cli\u003eThe rule triggers an alert, indicating a potential privilege escalation attempt.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the alert to determine the legitimacy of the process enabling SeDebugPrivilege and the context of its execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and enabling of SeDebugPrivilege can allow an attacker to debug and modify other processes, potentially gaining access to sensitive information, escalating privileges to SYSTEM level, and bypassing security controls. This can lead to a complete compromise of the affected system and potentially lateral movement to other systems on the network. The impact is high, especially in environments where sensitive data is processed or stored.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Token Right Adjusted Events to ensure proper logging of SeDebugPrivilege usage as per the \u003ca href=\"https://ela.st/audit-token-right-adjusted-events\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;SeDebugPrivilege Enabled by a Suspicious Process\u0026rdquo; Sigma rule to your SIEM to detect potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eReview and tune the exclusion list in the Sigma rule to minimize false positives, considering legitimate processes in your environment, as described in the \u003ca href=\"#false-positive-analysis\"\u003eFalse positive analysis\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the process enabling SeDebugPrivilege.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unauthorized access or lateral movement following the detection of SeDebugPrivilege enabling.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-sedebugpriv-enabled/","summary":"The rule identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege, which can be used by adversaries to debug and modify other processes to escalate privileges and bypass access controls.","title":"SeDebugPrivilege Enabled by a Suspicious Process","url":"https://feed.craftedsignal.io/briefs/2024-01-sedebugpriv-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the creation of scheduled tasks on Windows systems originating from a remote source using Remote Procedure Call (RPC). The creation of scheduled tasks is a common technique used for persistence and execution. While administrators may legitimately use this functionality for remote management, adversaries also leverage it for lateral movement and executing malicious code on compromised systems. The rule specifically looks for RPC calls where the client locality and process ID are 0, suggesting the task was created remotely. Identifying this activity allows defenders to investigate potentially malicious lateral movement and unauthorized task execution. This activity has been observed across various Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target system within the network accessible via RPC.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RPC connection to the target system.\u003c/li\u003e\n\u003cli\u003eUsing the RPC connection, the attacker creates a new scheduled task on the target system. The RpcCallClientLocality and ClientProcessId are set to 0 in the task creation event, indicating remote origin.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload or command. This could involve running a script, executable, or PowerShell command.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is triggered based on a defined schedule or event.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes on the target system, achieving the attacker\u0026rsquo;s objective.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to further pivot within the network, repeating the process on other targets.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the establishment of persistence on the target system, allowing the attacker to maintain access even after reboots or credential changes. This can also facilitate lateral movement, enabling the attacker to compromise additional systems within the network. The impact could range from data theft and system disruption to full network compromise. Organizations may experience downtime, data loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the Windows Security Event Logs required for detection (reference: Setup section in content).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect remote scheduled task creation events (reference: rules section).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the scheduled task creation.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions for creating scheduled tasks, especially from remote sources, to prevent unauthorized task creation.\u003c/li\u003e\n\u003cli\u003eMonitor the TaskContent value to investigate the configured action of scheduled tasks created remotely (reference: Triage and analysis section in content).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-remote-task-creation/","summary":"The creation of scheduled tasks from a remote source via RPC, where the RpcCallClientLocality and ClientProcessId are 0, indicates potential adversary lateral movement within a Windows environment.","title":"Remote Scheduled Task Creation via RPC","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","token-impersonation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of a process impersonating the token of another user logon session on Windows. Adversaries may duplicate tokens to create processes with elevated privileges, bypassing security controls. This technique is used for privilege escalation. The rule flags suspicious process creation by examining token usage patterns, process origins, and recent file modifications, while excluding known legitimate behaviors, to flag potential privilege escalation attempts. The rule is designed for data generated by Elastic Endpoint 8.4+.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a user logon session with higher privileges than their current session.\u003c/li\u003e\n\u003cli\u003eThe attacker duplicates the token of the identified user logon session using API calls like \u003ccode\u003eDuplicateTokenEx\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the duplicated token to create a new process using \u003ccode\u003eCreateProcessWithTokenW\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe new process inherits the privileges of the duplicated token.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or tools within the context of the newly created process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the system, allowing them to perform actions they were previously unauthorized to do.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to escalate privileges on the compromised system, potentially gaining administrative or system-level access. This can lead to unauthorized access to sensitive data, installation of malware, lateral movement to other systems on the network, and ultimately, complete control over the affected environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Elastic Defend to collect the necessary process creation and event data to activate this rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Process Created with a Duplicated Token\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on processes with unusual parent-child relationships or unsigned code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-process-created-with-duplicated-token/","summary":"This rule identifies the creation of a process impersonating the token of another user logon session on Windows, potentially indicating privilege escalation.","title":"Process Created with a Duplicated Token","url":"https://feed.craftedsignal.io/briefs/2024-01-process-created-with-duplicated-token/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-dumping","credential-access","windows","print.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are leveraging the \u003ccode\u003ePrint.exe\u003c/code\u003e utility, a legitimate Windows command-line tool, to dump sensitive operating system files for credential harvesting. This technique involves using \u003ccode\u003ePrint.exe\u003c/code\u003e to copy files like \u003ccode\u003entds.dit\u003c/code\u003e, \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, and \u003ccode\u003eSYSTEM\u003c/code\u003e from their protected Windows directories. These files contain sensitive credential data that can be extracted offline. This activity was observed in relation to the SolarWinds Web Help Desk exploitation in early 2026. Abuse of \u003ccode\u003ePrint.exe\u003c/code\u003e allows attackers to bypass traditional security measures that focus on blocking known malicious executables. This poses a significant risk because the extracted credentials can be used for lateral movement, privilege escalation, and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system, potentially through exploitation of a vulnerability in a web application or via compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eprint.exe\u003c/code\u003e with command-line arguments specifying the source file to copy (e.g., \u003ccode\u003e\\config\\SAM\u003c/code\u003e, \u003ccode\u003e\\windows\\ntds\\ntds.dit\u003c/code\u003e) and the destination path. The \u003ccode\u003e/D\u003c/code\u003e flag is used to designate the destination printer or file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint.exe\u003c/code\u003e copies the targeted sensitive file (e.g., NTDS.DIT, SAM, SECURITY, SYSTEM) from its protected location.\u003c/li\u003e\n\u003cli\u003eThe copied file is typically saved to a location accessible to the attacker, either locally or on a network share.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential harvesting tools (e.g., \u003ccode\u003esecretsdump.py\u003c/code\u003e from Impacket) to extract user credentials (hashes) from the dumped files.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the password hashes or uses them directly for pass-the-hash attacks.\u003c/li\u003e\n\u003cli\u003eUsing the harvested credentials, the attacker moves laterally to other systems within the network, escalating privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, deployment of ransomware, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal domain or local account credentials. These stolen credentials enable unauthorized access to sensitive resources, including critical systems and data. The impact can range from data breaches and financial loss to complete compromise of the affected organization\u0026rsquo;s network. While the scale of past attacks is not stated in the source, similar credential dumping attacks have led to breaches affecting millions of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSensitive File Dump Via Print.EXE\u003c/code\u003e to detect abuse of \u003ccode\u003ePrint.exe\u003c/code\u003e for copying sensitive files (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003eprint.exe\u003c/code\u003e with command-line parameters that include sensitive file paths such as \u003ccode\u003e\\config\\SAM\u003c/code\u003e, \u003ccode\u003e\\config\\SECURITY\u003c/code\u003e, \u003ccode\u003e\\config\\SYSTEM\u003c/code\u003e, or \u003ccode\u003e\\windows\\ntds\\ntds.dit\u003c/code\u003e (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement access controls to restrict access to sensitive files like \u003ccode\u003entds.dit\u003c/code\u003e, \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, and \u003ccode\u003eSYSTEM\u003c/code\u003e to only authorized accounts and processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eprint.exe\u003c/code\u003e copying files from the \u003ccode\u003e\\config\u003c/code\u003e or \u003ccode\u003e\\windows\\ntds\u003c/code\u003e directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-print-exe-credential-dump/","summary":"Attackers are abusing the legitimate Windows Print.exe utility to copy sensitive files like NTDS.DIT and SAM in order to extract credentials, enabling local or remote credential access.","title":"Print.exe Used to Dump Sensitive Files for Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-01-print-exe-credential-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","token-obfuscation","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using PowerShell token obfuscation techniques to bypass security measures. This involves manipulating PowerShell command syntax to make it harder for security tools to identify malicious code. This technique leverages Invoke-Obfuscation, a known framework for obfuscating PowerShell scripts. This method allows malicious actors to disguise commands, such as downloading and executing arbitrary code, making traditional signature-based detections less effective. The use of token obfuscation highlights the need for more sophisticated detection strategies that focus on identifying anomalous behavior rather than relying solely on static code analysis. The scope of this threat is broad, as it can be incorporated into various attack vectors, from initial access to lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through an undisclosed method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker initiates a PowerShell process (powershell.exe).\u003c/li\u003e\n\u003cli\u003eToken Obfuscation: The attacker employs token obfuscation techniques, such as inserting backticks (\u003ccode\u003e), using string concatenation, or manipulating environment variables, to disguise malicious commands. Examples from the source include \u003c/code\u003eIN\u003ccode\u003eV\u003c/code\u003eo\u003ccode\u003eKe-eXp\u003c/code\u003eResSIOn\u003ccode\u003eand\u003c/code\u003e${e\u003ccode\u003eNv:pATh}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCommand Obfuscation: The obfuscated PowerShell command is executed, masking the intent of the command.\u003c/li\u003e\n\u003cli\u003ePayload Download: The obfuscated command may download a malicious payload from a remote server using methods such as \u003ccode\u003e(New-Object Net.WebClient).DownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCode Execution: The downloaded payload is executed, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence through various methods.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Exfiltration: Depending on the attacker\u0026rsquo;s objectives, they may move laterally within the network or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation using PowerShell token obfuscation can lead to complete system compromise, data theft, and disruption of services. The obfuscation techniques make it difficult for traditional security tools to detect and prevent the attack. The number of victims and sectors targeted is currently unknown, but the potential impact is significant due to the widespread use of PowerShell in enterprise environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Powershell Token Obfuscation with Backticks\u0026rdquo; to identify PowerShell commands containing backtick-obfuscated tokens in \u003ccode\u003eprocess_creation\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Powershell Token Obfuscation with String Concatenation\u0026rdquo; to identify PowerShell commands using string concatenation to obfuscate tokens in \u003ccode\u003eprocess_creation\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e logs for PowerShell processes executing commands with environment variable manipulation, as described in the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell processes that exhibit obfuscation techniques to determine if they are malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-token-obfuscation/","summary":"Adversaries employ token obfuscation techniques within PowerShell commands to evade detection by security tools, leveraging methods such as character insertion, string concatenation, and environment variable manipulation to mask their malicious intent.","title":"PowerShell Token Obfuscation via Process Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-token-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers leverage Invoke-Obfuscation, a popular PowerShell obfuscation framework, to generate highly obfuscated IEX (Invoke-Expression) commands. This technique allows them to bypass traditional signature-based detections and execute malicious payloads on targeted systems. Invoke-Obfuscation is designed to make PowerShell code difficult to read and analyze, thus hindering security analysts and automated detection systems. The obfuscation techniques include string concatenation using environment variables, character code manipulation, and other methods to mask the true intent of the script. This activity has been observed across various campaigns, typically targeting Windows environments where PowerShell is widely used. Defenders should be aware of this technique and implement robust detection mechanisms to identify and block obfuscated PowerShell execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the target system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: The attacker uploads a malicious PowerShell script or downloads it from a remote server.\u003c/li\u003e\n\u003cli\u003eObfuscation: The attacker uses Invoke-Obfuscation to obfuscate the PowerShell script, making it difficult to analyze. This can involve techniques like string concatenation using \u003ccode\u003e$PSHome\u003c/code\u003e or \u003ccode\u003e$ShellId\u003c/code\u003e, or using complex variable manipulations.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes the obfuscated PowerShell script using \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIEX Invocation: The obfuscated script leverages \u003ccode\u003eIEX\u003c/code\u003e (Invoke-Expression) to dynamically execute code, further hindering detection. The obfuscated strings are deobfuscated at runtime within the IEX context.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker may use the compromised system as a launching point for lateral movement within the network, using tools like \u003ccode\u003ePsExec\u003c/code\u003e or \u003ccode\u003eWinRM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eObjective: The ultimate objective could be data exfiltration, ransomware deployment, or establishing a long-term foothold for espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the compromised system, leading to various malicious activities such as data theft, system compromise, and ransomware deployment. The use of Invoke-Obfuscation makes detection more challenging, potentially allowing attackers to remain undetected for extended periods. This can result in significant financial losses, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eInvoke-Obfuscation Obfuscated IEX Invocation\u003c/code\u003e to your SIEM to detect obfuscated IEX commands generated by Invoke-Obfuscation.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution logs for suspicious command-line arguments that resemble obfuscation patterns described in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement PowerShell Constrained Language Mode to restrict the capabilities of PowerShell and limit the effectiveness of obfuscation techniques.\u003c/li\u003e\n\u003cli\u003eEnable and review PowerShell Script Block Logging to capture the content of executed scripts, allowing for more in-depth analysis of malicious activity.\u003c/li\u003e\n\u003cli\u003eRegularly update your endpoint detection and response (EDR) solutions to ensure they have the latest signatures and behavioral detection capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing and other social engineering attacks that may be used to deliver malicious PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-invoke-obfuscation-iex/","summary":"Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.","title":"Invoke-Obfuscation Obfuscated IEX Invocation via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-iex/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["discovery","windows","privileged-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often perform reconnaissance after compromising a system to plan their next steps. This includes enumerating network resources, users, connections, files, and installed security software. This activity allows attackers to identify high-value targets for lateral movement and credential theft. This detection identifies processes that are unusually enumerating the membership of privileged local groups on Windows systems, such as Administrators or Remote Desktop Users. It is based on Elastic detection rule \u0026ldquo;Enumeration of Privileged Local Groups Membership\u0026rdquo; (rule_id: \u0026ldquo;291a0de9-937a-4189-94c0-3e847c8b13e4\u0026rdquo;). The rule excludes common legitimate utilities to reduce false positives. The presence of such enumeration activity, especially by unknown or untrusted processes, should be investigated immediately to determine the scope and intent of the intrusion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host through an initial access vector like phishing or exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance command or script to gather information about the system.\u003c/li\u003e\n\u003cli\u003eThe command attempts to enumerate the members of privileged local groups, such as Administrators or Remote Desktop Users, using built-in Windows utilities or custom tools.\u003c/li\u003e\n\u003cli\u003eWindows Security Event Logs record the event of user-member enumeration with Event ID 4798 or similar events.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of the enumeration command to identify potential targets for credential theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to move laterally to other systems or escalate privileges on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises additional systems and continues to pursue their objectives, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of privileged local groups allows attackers to identify accounts with elevated privileges on the compromised system. This information is used to target those accounts for credential theft, enabling lateral movement and further compromise of the network. If successful, the attacker gains access to sensitive data, critical systems, or deploys ransomware, causing significant disruption and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Security Group Management to generate the necessary Windows Security Event Logs as described in the Elastic setup guide.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Enumeration of Privileged Local Groups Membership\u0026rdquo; to detect unusual processes enumerating group memberships based on \u003ccode\u003eCallerProcessName\u003c/code\u003e and \u003ccode\u003eTargetSid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing those involving unknown or untrusted processes.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for command-line arguments and tools commonly used for enumeration, such as \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003edsquery\u003c/code\u003e, or PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles to minimize the number of accounts with membership in privileged local groups.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-enumeration-privileged-local-groups/","summary":"An unusual process is enumerating built-in Windows privileged local groups membership, such as Administrators or Remote Desktop users, potentially revealing targets for credential compromise and post-exploitation activities.","title":"Enumeration of Privileged Local Groups Membership","url":"https://feed.craftedsignal.io/briefs/2024-01-enumeration-privileged-local-groups/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["reconnaissance","evasion","command-line"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to obscure their activities by using obfuscated IP addresses within command-line tools. This is done to bypass simple pattern matching or detection rules that rely on standard IP address formats. The Sigma rule \u0026ldquo;Obfuscated IP Via CLI\u0026rdquo; published on 2022-08-03 and modified on 2026-03-16, focuses on detecting this behavior by identifying command lines containing hexadecimal, octal, or other encoded representations of IP addresses used with \u003ccode\u003eping.exe\u003c/code\u003e or \u003ccode\u003earp.exe\u003c/code\u003e. This activity can indicate reconnaissance, command and control communication, or lateral movement attempts where attackers are trying to hide the true destination of their network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a command prompt (cmd.exe) or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eping.exe\u003c/code\u003e or \u003ccode\u003earp.exe\u003c/code\u003e to test network connectivity.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command line that includes an obfuscated IP address (e.g., hexadecimal, octal). For example: \u003ccode\u003eping 0121.04.0174.012\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe command is executed, attempting to resolve or connect to the obfuscated IP address.\u003c/li\u003e\n\u003cli\u003eIf the obfuscation bypasses security controls, the tool resolves the address.\u003c/li\u003e\n\u003cli\u003eThe attacker gathers information about the target system (if ping is successful) or network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this information for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of obfuscated IPs can lead to undetected reconnaissance, lateral movement, and data exfiltration. By hiding the true destination of network traffic, attackers can bypass traditional security measures and gain a foothold within the network. The impact includes potential data breaches, system compromise, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Obfuscated IP Via CLI\u0026rdquo; Sigma rule to your SIEM to detect command-line execution with obfuscated IP addresses.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging for \u003ccode\u003eping.exe\u003c/code\u003e and \u003ccode\u003earp.exe\u003c/code\u003e to ensure the Sigma rule has the necessary data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor command-line activity for unusual patterns or arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-obfuscated-ip-cli/","summary":"The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.","title":"Detection of Obfuscated IP Addresses via Command Line Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-03-obfuscated-ip-cli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.execution","attack.privilege-escalation","attack.persistence","attack.t1053.005"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on the detection of malicious activity related to the deletion or disabling of important scheduled tasks within a Windows environment. Adversaries may target these tasks to disrupt normal system operations, escalate privileges, establish persistence, or facilitate data destruction. The targeted tasks often include critical system functions like System Restore, Windows Defender updates, BitLocker encryption, Windows Backup processes, and Windows Update mechanisms. This…\u003c/p\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-scheduled-task-deletion/","summary":"Adversaries delete or disable critical scheduled tasks, such as those related to system restore, Windows Defender, BitLocker, Windows Backup, or Windows Update, to disrupt operations and potentially conduct data destructive activities.","title":"Detection of Important Scheduled Task Deletion or Disablement","url":"https://feed.craftedsignal.io/briefs/2024-01-scheduled-task-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.impact","attack.t1489"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to delete scheduled tasks to disable security mechanisms or prevent system recovery, creating an environment conducive to data destruction. This involves using the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility to remove scheduled tasks related to critical system functions. This activity is designed to impair incident response, prevent restoration of systems, and generally increase the impact of an attack. This is done by removing the scheduled tasks, which prevents the execution of security…\u003c/p\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-schtasks-deletion/","summary":"Adversaries delete critical scheduled tasks, such as those related to BitLocker, ExploitGuard, System Restore, Windows Defender, and Windows Update, to disrupt security measures and enable data destruction.","title":"Deletion of Critical Scheduled Tasks","url":"https://feed.craftedsignal.io/briefs/2024-01-03-schtasks-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["proxy-execution","net-utility","defense-evasion","execution","signed-binary-proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the abuse of trusted Microsoft .NET binaries as proxies for malicious code execution. Attackers leverage script-based execution (e.g., PowerShell, VBScript, batch files) from atypical or user-writable directories to launch .NET utilities like aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, and vbc.exe. This method allows threat actors to bypass security controls and blend in with legitimate system activity. Observed activity occurs in environments where endpoint detection and response (EDR) agents are deployed. The lack of command-line variation between the utility\u0026rsquo;s image path and its executed process reinforces the suspicion of proxy execution. This technique has been associated with malware campaigns, including the deployment of VIP Keylogger.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (potentially through phishing or exploiting a software vulnerability, although this source does not specify the entry vector).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious script (e.g., a PowerShell script) into a user-writable directory such as C:\\Users\\Public\\ or C:\\Temp\\.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, and is often obfuscated to evade detection, from the non-standard location.\u003c/li\u003e\n\u003cli\u003eThe script then calls a legitimate .NET utility (e.g., InstallUtil.exe) to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe .NET utility executes with minimal command-line arguments, often just the executable path itself, to further blend in with legitimate activity.\u003c/li\u003e\n\u003cli\u003eThe .NET utility loads and executes attacker-controlled code, bypassing application control policies.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as keylogging (as seen with VIP Keylogger), credential theft, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass application control and execute arbitrary code, potentially leading to data theft, system compromise, and persistent access. While the number of victims and specific sectors are not detailed in this brief\u0026rsquo;s source, the use of VIP Keylogger as a payload demonstrates the potential for sensitive data exfiltration. Organizations lacking robust endpoint detection capabilities are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect .NET Utility Execution from Unusual Script Parents\u0026rdquo; to identify potential proxy execution attempts based on process relationships and file paths (rule provided below).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of .NET utilities (aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, vbc.exe) being launched from user-writable directories, especially when the parent process is a script interpreter (batch, CMD, PowerShell, JScript, VBScript, HTML).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1 or Windows Event Log Security 4688) for unusual parent-child process relationships involving script interpreters and .NET utilities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of .NET utilities from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-proxy-execution-net-utilities/","summary":"Detects the execution of .NET utilities by script processes from unusual locations, indicative of signed binary proxy execution for defense evasion and code execution.","title":"Windows Proxy Execution of .NET Utilities via Scripts","url":"https://feed.craftedsignal.io/briefs/2024-01-03-proxy-execution-net-utilities/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["execution","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe detection rule identifies suspicious PowerShell activity related to scheduled tasks. Adversaries exploit Task Scheduler to execute malicious scripts, facilitating lateral movement or remote discovery. The rule monitors for the Task Scheduler DLL load within PowerShell processes (powershell.exe, pwsh.exe, powershell_ise.exe) followed by outbound RPC connections, signaling potential misuse. This activity may be indicative of attackers leveraging scheduled tasks for remote execution or reconnaissance within a compromised network. The detection logic focuses on the sequence of loading \u003ccode\u003etaskschd.dll\u003c/code\u003e and initiating an RPC connection to port 135, a common port for Distributed Component Object Model (DCOM) communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to interact with the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003ePowerShell process (powershell.exe, pwsh.exe, or powershell_ise.exe) loads the \u003ccode\u003etaskschd.dll\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a scheduled task using PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload.\u003c/li\u003e\n\u003cli\u003ePowerShell initiates an outbound RPC connection on port 135.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, potentially leading to lateral movement or remote discovery.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining control of additional systems or gathering sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized remote code execution, lateral movement within the network, and the potential compromise of sensitive data. The creation or modification of scheduled tasks can provide persistence for attackers, allowing them to maintain access to compromised systems even after reboots. The impact includes potential data breaches, system compromise, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) and Event ID 3 (Network Connection) logging to detect the specific activity described in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Outbound Scheduled Task Activity via PowerShell\u0026rdquo; to your SIEM and tune the \u003ccode\u003emaxspan\u003c/code\u003e value based on your environment\u0026rsquo;s typical activity patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the specific PowerShell commands used and the scheduled tasks created or modified.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 135 originating from PowerShell processes, and correlate with other security events to identify suspicious patterns.\u003c/li\u003e\n\u003cli\u003eImplement stricter controls on the creation and modification of scheduled tasks, limiting access to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview and clean up any unauthorized scheduled tasks on systems to prevent persistent malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-scheduled-task-powershell/","summary":"This rule detects PowerShell loading the Task Scheduler COM DLL followed by an outbound RPC network connection, potentially indicating lateral movement or remote discovery via scheduled tasks.","title":"Suspicious Outbound Scheduled Task Activity via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-scheduled-task-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","VMware Tools"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","time-provider"],"_cs_type":"advisory","_cs_vendors":["Microsoft","VMware"],"content_html":"\u003cp\u003eThe Windows Time service (W32Time) synchronizes the system clock with other devices on the network, using time providers implemented as DLL files located in the System32 folder. This architecture can be abused by adversaries to establish persistence by registering and enabling a malicious DLL as a time provider. The W32Time service starts during Windows startup and loads w32time.dll. This technique involves modifying specific registry keys associated with the Time Providers, enabling a malicious DLL to be loaded and executed every time the service starts. This can allow an attacker to maintain persistent access to the system, even after a reboot. The Elastic Security team has identified this persistence method and provided a detection rule to identify such modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains administrator privileges on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or deploys a malicious DLL to be used as a time provider.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to register the malicious DLL as a valid time provider. The registry keys under \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\\u003c/code\u003e are targeted.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the newly registered time provider.\u003c/li\u003e\n\u003cli\u003eThe W32Time service is restarted, or the system is rebooted.\u003c/li\u003e\n\u003cli\u003eThe W32Time service loads the malicious DLL, executing the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to achieve persistence on the compromised system. The attacker can execute arbitrary code every time the W32Time service starts. This may lead to further malicious activities, such as data theft, lateral movement, or the installation of additional malware. The impact is significant, as the attacker can maintain long-term control over the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eTime Provider DLL Registration\u003c/code\u003e to detect the registration of new DLL files as Time Providers in the registry.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications, as this is a requirement for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any registry changes to the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\\u003c/code\u003e path, especially those adding new DLLs, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003emsiexec.exe\u003c/code\u003e installing DLLs in the \u003ccode\u003eProgram Files\\VMware\\VMware Tools\u003c/code\u003e directory, which could indicate legitimate activity, but should still be validated.\u003c/li\u003e\n\u003cli\u003eRegularly audit and validate the list of registered Time Providers on critical systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-time-provider-modification/","summary":"Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider by modifying registry keys associated with the W32Time service.","title":"Potential Persistence via Time Provider Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-time-provider-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Citrix Workspace"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","application-shimming","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix"],"content_html":"\u003cp\u003eApplication shimming is a compatibility mechanism in Windows that allows older applications to run on newer operating systems. However, attackers can abuse this functionality to gain persistence and execute arbitrary code in the context of legitimate Windows processes. This is achieved by using the \u003ccode\u003esdbinst.exe\u003c/code\u003e utility to install malicious application compatibility databases (.sdb files). These databases can then be used to inject malicious code into targeted applications. The detection rule focuses on identifying suspicious invocations of \u003ccode\u003esdbinst.exe\u003c/code\u003e with arguments that do not include benign flags, indicating potential misuse of the application shimming mechanism. This technique is stealthy because it allows attackers to execute code within trusted processes, making it harder to detect.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or creates a malicious .sdb file containing code to be injected.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esdbinst.exe\u003c/code\u003e to install the malicious .sdb file. The command line arguments often lack common benign flags like \u0026ldquo;-m\u0026rdquo;, \u0026ldquo;-bg\u0026rdquo;, or \u0026ldquo;-mm\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the shim database when the targeted application is launched.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the .sdb file is executed in the context of the targeted application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the system, as the shim is loaded each time the targeted application is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration, lateral movement, or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful application shimming attack can allow an attacker to maintain persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. Because the malicious code executes within a trusted process, detection can be challenging, and the attacker can potentially bypass security controls. While the number of victims is unknown, this technique is particularly effective against organizations that rely on specific applications, as the attacker can target those applications for persistence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Application Shimming via Sdbinst\u0026rdquo; to your SIEM to detect suspicious invocations of \u003ccode\u003esdbinst.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments of \u003ccode\u003esdbinst.exe\u003c/code\u003e executions, which is required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate and remove any unauthorized or suspicious application compatibility databases (.sdb files) found on systems.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for \u003ccode\u003esdbinst.exe\u003c/code\u003e executions across the network to detect and respond to future attempts at application shimming.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of exceptions to ensure that only verified and necessary exclusions are maintained to avoid overlooking genuine threats.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-app-shimming/","summary":"Attackers abuse the Application Shim functionality in Windows by using `sdbinst.exe` with malicious arguments to achieve persistence and execute arbitrary code within legitimate Windows processes.","title":"Potential Application Shimming via Sdbinst","url":"https://feed.craftedsignal.io/briefs/2024-01-app-shimming/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","dll-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","McAfee","SecMaker AB","HID Global","Apple","Citrix Systems","Dell","Hewlett-Packard Company","Symantec Corporation","National Instruments Corporation","DigitalPersona","Novell","Gemalto","EasyAntiCheat Oy","Entrust Datacard Corporation","AuriStor","LogMeIn","VMware","Nubeva Technologies Ltd","Micro Focus","Yubico AB","Secure Endpoints","Sophos","Morphisec Information Security","Entrust","F5 Networks","Bit4id","Thales DIS CPL USA","Micro Focus International plc","HYPR Corp","Intel","PGP Corporation","Parallels International GmbH","FrontRange Solutions Deutschland GmbH","SecureLink","Tidexa OU","Amazon Web Services","SentryBay Limited","Audinate Pty Ltd","CyberArk Software","NVIDIA","Trend Micro","Fortinet","Carbon Black"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain sufficient access to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL onto the system, often disguised as a legitimate file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.\u003c/li\u003e\n\u003cli\u003eLSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eLSASS Loading Untrusted DLL\u003c/code\u003e Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and review the loaded DLL\u0026rsquo;s code signature and hash.\u003c/li\u003e\n\u003cli\u003eBlock the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict which DLLs can be loaded into LSASS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and image load logging to provide the necessary data for detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-lsass-suspicious-dll/","summary":"Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.","title":"LSASS Loading Suspicious DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-suspicious-dll/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","persistence","privilege-escalation","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the creation of executable or script files in unusual directories on Windows systems. Adversaries often leverage these unconventional locations to evade standard security monitoring and establish persistence. The technique involves placing malicious files with extensions like \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.ps1\u003c/code\u003e, and others in directories such as \u003ccode\u003e\\windows\\fonts\\\u003c/code\u003e, \u003ccode\u003e\\users\\public\\\u003c/code\u003e, \u003ccode\u003e\\Windows\\debug\\\u003c/code\u003e, and others deemed atypical for such file types. This activity can bypass traditional signature-based detections and enable the execution of unauthorized code. The scope of this threat covers Windows systems where such file creation events are logged and monitored. This is important for defenders because successful exploitation leads to arbitrary code execution, persistence and further malicious activity within the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a suspicious directory, such as \u003ccode\u003eC:\\Windows\\Fonts\\\u003c/code\u003e or \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable file (e.g., \u003ccode\u003eevil.exe\u003c/code\u003e) or a script (e.g., \u003ccode\u003eevil.ps1\u003c/code\u003e) into the chosen directory.\u003c/li\u003e\n\u003cli\u003eThe attacker employs techniques to execute the malicious file, such as creating a scheduled task, modifying registry keys, or leveraging other \u0026ldquo;living off the land\u0026rdquo; binaries.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes, performing actions such as establishing persistence, escalating privileges, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established persistence to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement to other systems within the network, utilizing tools such as PsExec or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their ultimate objective, such as data exfiltration, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and complete system compromise. The creation of executables in suspicious paths is a common technique used by various threat actors. Multiple analytic stories are tagged, including PlugX, LockBit Ransomware, and Volt Typhoon. This technique is leveraged to evade detection and maintain a persistent presence on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 11 logging to capture file creation events, which is the data source for the analytic.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the creation of executables or scripts in suspicious paths.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any alerts generated by the Sigma rule, focusing on the process and user context.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on critical directories to detect unauthorized file modifications.\u003c/li\u003e\n\u003cli\u003eReview and harden file system permissions to restrict write access to suspicious directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-executable-creation-suspicious-path/","summary":"This analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems, where adversaries often use these paths to evade detection and maintain persistence, potentially leading to unauthorized code execution, privilege escalation, or persistence within the environment.","title":"Executable or Script Creation in Suspicious Paths","url":"https://feed.craftedsignal.io/briefs/2024-01-03-executable-creation-suspicious-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies remote scheduled task creations on a target host, which can be indicative of lateral movement. Adversaries often leverage scheduled tasks to execute malicious commands, maintain persistence, or escalate privileges. This technique is particularly effective as it uses native Windows functionality, making it harder to distinguish from legitimate administrative actions. This rule is designed for data generated by Elastic Defend and also supports third-party data sources such as SentinelOne Cloud Funnel and Sysmon. Understanding when and how scheduled tasks are created remotely is crucial for detecting and responding to potential intrusions. The rule focuses on network connections from svchost.exe and registry modifications related to task actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to scan the network for potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to a target Windows host using stolen credentials or by exploiting a vulnerability in a network service.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a network connection to the target host\u0026rsquo;s Task Scheduler service, typically using ports in the dynamic port range (49152+). This connection originates from svchost.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new scheduled task on the target system using the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003eThis creation involves modifying the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{TaskID}\\Actions\u003c/code\u003e to define the task\u0026rsquo;s actions. The \u0026lsquo;Actions\u0026rsquo; value is often base64 encoded.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a malicious payload, granting the attacker further access or control over the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly gained access for lateral movement, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive systems, data breaches, and further lateral movement within the network. The rule is designed to catch this activity, reducing the dwell time of attackers and minimizing potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment to detect malicious scheduled task creation.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Sysmon Registry Events to enhance visibility into network connections and registry modifications (see Setup instructions).\u003c/li\u003e\n\u003cli\u003eReview the base64 encoded tasks actions registry value to investigate the task configured action (see rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the scheduled task creation and the intent behind the configured action.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-remote-scheduled-task-creation/","summary":"This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.","title":"Detecting Remote Scheduled Task Creation for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious remote password resets targeting potentially privileged accounts on Windows systems. Attackers may attempt to reset passwords to maintain unauthorized access, evade password duration policies, or preserve compromised credentials. The rule focuses on network logins followed by password reset actions, specifically targeting privileged accounts to reduce false positives. The rule leverages Windows Security Event Logs to detect successful network logins and subsequent password reset events. The goal is to detect anomalous password reset activities that could indicate malicious activity. The rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the network (e.g., through credential theft or phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts a network login to a Windows system, generating a 4624 event with logon type \u0026ldquo;Network\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe system logs a successful authentication event (event ID 4624) with a network logon type.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privileged account, such as an administrator account or a service account with elevated permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset for the privileged account.\u003c/li\u003e\n\u003cli\u003eA password reset event (event ID 4724) is triggered, indicating that a password has been reset.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the reset password to maintain persistent access to the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions using the compromised privileged account, potentially leading to data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful password resets of privileged accounts can lead to significant security breaches. Attackers can maintain persistent access, escalate privileges, and move laterally within the network. This can result in data theft, system compromise, and disruption of services. If successful, attackers can potentially gain control over critical systems and data, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Windows audit policies for \u0026ldquo;Audit Logon\u0026rdquo; and \u0026ldquo;Audit User Account Management\u0026rdquo; to generate the necessary events for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Remote Password Reset of Privileged Account\u0026rdquo; to your SIEM and tune it to your environment, excluding legitimate administrative accounts and processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the source IP address and the target account to determine if the password reset was authorized.\u003c/li\u003e\n\u003cli\u003eMonitor for Event ID 4724 (Account Password Reset) in conjunction with network login events to identify suspicious password reset activity.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and privileged account management policies to prevent similar incidents in the future, as mentioned in the overview section.\u003c/li\u003e\n\u003cli\u003eCreate exceptions for known IT personnel or service accounts that legitimately perform remote password resets, as detailed in the false positive analysis section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:30:00Z","date_published":"2024-01-02T15:30:00Z","id":"/briefs/2024-01-remote-password-reset/","summary":"The rule detects attempts to reset potentially privileged account passwords remotely, a tactic used by adversaries to maintain access, evade password policies, and preserve compromised credentials.","title":"Account Password Reset Remotely","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-password-reset/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.execution","attack.defense-evasion","csc.exe","payload-delivery"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are leveraging the legitimate Csc.exe (C# compiler) to execute malicious code, often as a part of defense evasion or payload delivery. This is achieved by spawning Csc.exe from unusual parent processes such as scripting hosts (cscript.exe, wscript.exe), Office applications (excel.exe, winword.exe), or PowerShell, especially when combined with encoded commands. Observed techniques also include launching Csc.exe from temporary or unusual directories. This activity bypasses traditional application whitelisting and can lead to the execution of arbitrary code. This activity has been associated with WarzoneRAT, DarkVNC, and the delivery of IMAPLoader malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eA script or Office macro executes, initiating a command-line process.\u003c/li\u003e\n\u003cli\u003eThis process then invokes a scripting host (e.g., cscript.exe) or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe scripting host or PowerShell executes a command that downloads or creates a C# source code file.\u003c/li\u003e\n\u003cli\u003eCsc.exe is then invoked, often from a temporary directory, to compile the downloaded/created C# code.\u003c/li\u003e\n\u003cli\u003eThe compiled C# code executes, performing malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious code may establish persistence, communicate with a C2 server, or perform data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe final objective might be to deploy ransomware, steal sensitive data, or establish a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal data, or deploy malware. Depending on the user\u0026rsquo;s permissions, the attacker could gain elevated privileges. The observed techniques have been associated with ransomware deployment, data theft, and remote access trojans (RATs).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Csc.EXE Execution Form Potentially Suspicious Parent\u0026rdquo; to detect suspicious parent processes of csc.exe.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for csc.exe with parent processes like scripting hosts or Office applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of csc.exe being executed from temporary directories or user profile locations by reviewing process_creation logs.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed process information, including parent-child relationships, for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-csc-suspicious-parent/","summary":"The Csc.exe (C# compiler) process is being launched by unusual parent processes or from suspicious locations, indicating potential malware execution or defense evasion.","title":"Suspicious CSC.exe Parent Process","url":"https://feed.craftedsignal.io/briefs/2024-01-02-csc-suspicious-parent/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["execution","script","temp"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious script executions originating from temporary directories. Threat actors often leverage temporary folders to stage and execute malicious scripts, such as PowerShell, VBScript, or even HTML applications (MSHTA) to evade detection or bypass security controls. These scripts can be delivered through various means, including phishing attacks, drive-by downloads, or as part of a multi-stage malware infection. The execution of scripts from temporary directories is generally uncommon for legitimate software, making it a valuable indicator of potentially malicious activity. This detection focuses on identifying processes like powershell.exe, pwsh.exe, mshta.exe, wscript.exe, and cscript.exe executing from or referencing standard temporary paths in their command line.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious script (e.g., PowerShell, VBScript) is downloaded or dropped into a temporary directory such as \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e, \u003ccode\u003e\\AppData\\Local\\Temp\u003c/code\u003e, or similar.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a process like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to invoke the downloaded script.\u003c/li\u003e\n\u003cli\u003eThe script executes, potentially performing reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe script may download additional payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove the initial script files to cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of consequences, including data theft, system compromise, and ransomware infection. The execution of malicious scripts from temporary directories can provide attackers with a foothold in the network, allowing them to move laterally, escalate privileges, and ultimately achieve their objectives. Depending on the script\u0026rsquo;s capabilities, it could also lead to system instability or denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Script Execution From Temp Folder\u0026rdquo; to your SIEM to detect script execution from temporary directories. Tune the rule\u0026rsquo;s filters for known-good software installers in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the necessary information for the Sigma rule (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process and the script\u0026rsquo;s actions.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of scripts from temporary directories where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:30:00Z","date_published":"2024-01-02T14:30:00Z","id":"/briefs/2024-01-script-exec-temp/","summary":"This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.","title":"Suspicious Script Execution from Temporary Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-temp/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["execution","defense-evasion","windows","ping","lolbas"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. This delayed execution is often observed during malware installation and is consistent with an attacker attempting to evade detection. The adversary uses \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument from within a \u003ccode\u003ecmd.exe\u003c/code\u003e shell, and the parent process is running under a user context other than SYSTEM. The subsequent process is \u003ccode\u003ecmd.exe\u003c/code\u003e invoking a known malicious utility, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, or an executable from the user\u0026rsquo;s AppData directory without a valid code signature. This behavior is often observed during malware installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an initial access vector (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe adversary executes \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecmd.exe\u003c/code\u003e spawns \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument to introduce a delay, typically to evade detection (\u003ccode\u003eping.exe -n [number] 127.0.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAfter the delay introduced by \u003ccode\u003eping.exe\u003c/code\u003e, the same \u003ccode\u003ecmd.exe\u003c/code\u003e process executes a potentially malicious utility such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, or \u003ccode\u003eregsvr32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, \u003ccode\u003ecmd.exe\u003c/code\u003e might execute a binary located within the user\u0026rsquo;s AppData directory that lacks a valid code signature.\u003c/li\u003e\n\u003cli\u003eThe malicious utility executes arbitrary commands or scripts, potentially downloading further payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system, enabling further malicious activities such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware installation, system compromise, and data theft. While the source does not quantify the number of victims or specific sectors targeted, a successful compromise can lead to significant operational disruption and data breaches. The use of delayed execution makes it more difficult for traditional security solutions to detect malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Delayed Execution via Ping\u0026rdquo; to your SIEM to detect the execution of commonly abused Windows utilities via a delayed Ping execution.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to capture the execution of \u003ccode\u003eping.exe\u003c/code\u003e and subsequent processes for analysis.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the rule.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rule, including the listed exclusions, to reduce false positives in your specific environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution from unusual locations like the AppData directory, especially for unsigned executables, as indicated in the rule\u0026rsquo;s detection logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-delayed-execution-via-ping/","summary":"Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.","title":"Windows Delayed Execution via Ping Followed by Malicious Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-delayed-execution-via-ping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["script-dropper","file-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe WScript or CScript Dropper technique is a method employed by attackers to introduce malicious script files into a system. It leverages the built-in Windows scripting hosts, \u003ccode\u003ecscript.exe\u003c/code\u003e and \u003ccode\u003ewscript.exe\u003c/code\u003e, to write files with extensions commonly associated with scripting languages (e.g., \u003ccode\u003e.js\u003c/code\u003e, \u003ccode\u003e.vbs\u003c/code\u003e, \u003ccode\u003e.wsf\u003c/code\u003e). These scripts are often written to temporary or user-accessible directories, such as \u003ccode\u003e\\Temp\\\u003c/code\u003e, \u003ccode\u003e\\AppData\\\u003c/code\u003e, or \u003ccode\u003e\\Startup\\\u003c/code\u003e, where they can be executed later, either manually or…\u003c/p\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-cscript-wscript-dropper/","summary":"The WScript or CScript Dropper technique involves using cscript.exe or wscript.exe to write malicious script files (js, jse, vba, vbe, vbs, wsf, wsh) to suspicious locations on a Windows system for later execution.","title":"WScript or CScript Dropper","url":"https://feed.craftedsignal.io/briefs/2024-01-cscript-wscript-dropper/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying the creation and subsequent deletion of scheduled tasks within a short timeframe on Windows systems. Attackers may abuse the scheduled task functionality to execute malicious code, establish persistence, or perform other unauthorized actions. By quickly deleting the task after execution, they attempt to evade detection and remove traces of their activity. This behavior is often associated with attackers trying to proxy malicious execution via the schedule service and then cleaning up to avoid leaving forensic artifacts. The detection logic looks for the sequence of task creation followed by deletion within a five-minute window. This activity is captured via Windows Security Event Logs when the \u0026ldquo;Audit Other Object Access Events\u0026rdquo; setting is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system. (T1053.005)\u003c/li\u003e\n\u003cli\u003eThe attacker uses legitimate Windows utilities like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell cmdlets to create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload, such as a script or executable. The payload could be staged on disk or downloaded from a remote server.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes the malicious payload, achieving the attacker\u0026rsquo;s objective (e.g., establishing persistence, executing commands, or deploying malware).\u003c/li\u003e\n\u003cli\u003eThe attacker, or the malicious payload itself, uses \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell to delete the scheduled task.\u003c/li\u003e\n\u003cli\u003eThe deletion occurs within a short time (less than 5 minutes) after task creation to minimize the window for detection.\u003c/li\u003e\n\u003cli\u003eThe attacker may also delete associated log files or other artifacts to further cover their tracks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as maintaining persistence, escalating privileges, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access, arbitrary code execution, privilege escalation, and data compromise. While the specific impact varies depending on the attacker\u0026rsquo;s objectives, the ability to execute code via scheduled tasks provides a significant foothold within the compromised system. This can lead to lateral movement, data exfiltration, or further compromise of the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; in Windows Security Event Logs to generate the necessary events for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Temporarily Scheduled Task Creation\u0026rdquo; to your SIEM to detect rapid task creation and deletion.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eMonitor scheduled task creation events for unusual task names, command-line arguments, or user accounts.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized executables and scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-temp-scheduled-task/","summary":"Detection of rapid creation and deletion of scheduled tasks on Windows, indicating potential malicious activity abusing the task scheduler for execution and cleanup.","title":"Windows Temporarily Scheduled Task Creation and Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-temp-scheduled-task/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Visual Studio","Office","Firefox","Windows","HP Support Assistant"],"_cs_severities":["low"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Hewlett-Packard","Mozilla","Google"],"content_html":"\u003cp\u003eAdversaries frequently leverage scheduled tasks in Windows to maintain persistence, elevate privileges, or facilitate lateral movement within a compromised network. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. The detection rule focuses on identifying the creation of new scheduled tasks logged in Windows event logs, filtering out tasks created by system accounts and those associated with legitimate software to minimize false positives. This detection is crucial because successful exploitation allows attackers to execute arbitrary commands or programs on a recurring basis, maintaining a foothold even after system reboots or user logoffs. Defenders need to monitor for anomalous task creation events to identify potential malicious activity. The rule references Microsoft Event ID 4698 as a key data source for detecting scheduled task creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system through phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges using exploits or by abusing misconfigurations to gain the necessary permissions to create scheduled tasks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTask Creation:\u003c/strong\u003e The attacker creates a new scheduled task using tools like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration:\u003c/strong\u003e The attacker configures the task to execute a malicious script or program at a specific time or event trigger.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The scheduled task is configured to run at regular intervals or upon system startup, ensuring persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e When the scheduled task triggers, the malicious payload executes, performing actions such as installing malware, stealing data, or establishing a command and control connection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (optional):\u003c/strong\u003e The attacker uses the compromised system and scheduled task to move laterally to other systems on the network, repeating the task creation process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via scheduled task creation can lead to persistent access within the compromised environment. The attacker can maintain a foothold even after system restarts, enabling them to perform data exfiltration, deploy ransomware, or cause other disruptive activities. While the risk score is relatively low, the potential for persistence makes this a critical area to monitor, especially in environments where lateral movement is a significant concern. The number of affected systems depends on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the necessary Windows Security Event Logs for detecting scheduled task creation (reference: setup instructions in the original rule).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious scheduled task creation events, and tune the rules by adding exclusions for known benign tasks in your environment.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the rule\u0026rsquo;s notes to triage alerts related to scheduled task creation, focusing on unfamiliar task names, unusual user accounts, and suspicious scheduled actions.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003ereferences\u003c/code\u003e URL to understand the specific details of Windows Event ID 4698, which is generated when a scheduled task is created.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-scheduled-task-creation/","summary":"Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.","title":"Windows Scheduled Task Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-02-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious activity related to credential access on Windows systems. Specifically, it focuses on scenarios where an account with the SeBackupPrivilege (typically associated with the Backup Operators group) remotely accesses the Windows Registry. Attackers can leverage this privilege to bypass access controls and dump the Security Account Manager (SAM) registry hive, which stores password hashes. This activity often precedes credential access and privilege escalation attempts, where the attacker aims to extract sensitive information from the dumped SAM hive to gain unauthorized access to other systems or elevate their privileges within the network. The detection logic looks for a sequence of events: first, a special logon event indicating the use of SeBackupPrivilege, followed by a network share access event targeting the \u0026ldquo;winreg\u0026rdquo; share.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a system, potentially through phishing, exploiting a vulnerability, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges on the compromised system. If the initial access does not grant SeBackupPrivilege, they may exploit vulnerabilities or misconfigurations to gain membership in the Backup Operators group or otherwise acquire the necessary privilege.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSpecial Logon:\u003c/strong\u003e The attacker logs in using an account with the SeBackupPrivilege. This triggers a \u0026ldquo;logged-in-special\u0026rdquo; event (Event ID 4672) with the SeBackupPrivilege listed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Registry Access:\u003c/strong\u003e The attacker uses remote administration tools or scripts to access the registry of a target system remotely, specifically targeting the \u0026ldquo;winreg\u0026rdquo; share. This triggers a file share access event (Event ID 5145).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSAM Hive Dump:\u003c/strong\u003e The attacker uses the SeBackupPrivilege to bypass access controls and copies the SAM registry hive (or portions thereof) to a location accessible to them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Extraction:\u003c/strong\u003e The attacker extracts password hashes from the dumped SAM hive using tools like Mimikatz or other offline password cracking utilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the extracted credentials to move laterally to other systems within the network, gaining access to additional resources and expanding their foothold.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGoal Completion:\u003c/strong\u003e The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials and widespread lateral movement within the network. This could enable attackers to access sensitive data, disrupt critical services, or deploy ransomware, resulting in significant financial losses and reputational damage. Given the sensitivity of the SAM hive, even a single successful compromise can have far-reaching consequences. The impact is especially high in environments with a large number of systems sharing the same domain, as the attacker can potentially compromise a significant portion of the infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable both \u0026ldquo;Audit Detailed File Share\u0026rdquo; and \u0026ldquo;Audit Special Logon\u0026rdquo; Windows audit policies to generate the necessary events for detection, as mentioned in the setup section of the original rule.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious remote registry access attempts utilizing SeBackupPrivilege, and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of SeBackupPrivilege to only those accounts that absolutely require it for legitimate backup operations, minimizing the potential attack surface.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these detections promptly to determine the scope of the compromise and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eMonitor for Event ID 5145 with RelativeTargetName containing \u0026ldquo;winreg\u0026rdquo; along with Event ID 4672 with SeBackupPrivilege to identify potential credential access attempts (see the original rule\u0026rsquo;s \u003ccode\u003equery\u003c/code\u003e field).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-sebackup-winreg-access/","summary":"Detection of remote registry access by an account with SeBackupPrivilege, potentially indicating credential exfiltration attempts via SAM registry hive dumping.","title":"Suspicious Remote Registry Access via SeBackupPrivilege","url":"https://feed.craftedsignal.io/briefs/2024-01-sebackup-winreg-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","mshta","windows","process-creation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","HP","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eMshta.exe (Microsoft HTML Application Host) is a Windows utility used to execute HTML Applications (.hta files). Adversaries often abuse Mshta to execute malicious scripts and evade detection, as it is a signed Microsoft binary and can bypass application whitelisting. This activity typically involves Mshta spawning other processes like cmd.exe or powershell.exe to perform malicious actions. This behavior has been observed across various attack campaigns and is a common tactic used to deliver payloads, establish persistence, or perform lateral movement within a network. Defenders need to monitor Mshta.exe process creations and child processes to detect and prevent potential threats. The detection logic focuses on identifying specific child processes commonly associated with malicious activities, while excluding legitimate uses of Mshta, such as those related to HP printer software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method (e.g., phishing, drive-by download) that delivers a malicious HTA file.\u003c/li\u003e\n\u003cli\u003eThe user executes the HTA file, which launches Mshta.exe to interpret and execute the embedded script.\u003c/li\u003e\n\u003cli\u003eThe script within the HTA file spawns a suspicious child process, such as cmd.exe or powershell.exe, using \u003ccode\u003eCreateProcess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious commands or scripts to download additional payloads or perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eCertutil.exe may be used to decode encoded payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may use bitsadmin.exe to download files from remote servers.\u003c/li\u003e\n\u003cli\u003ePowerShell is used to execute malicious code directly in memory, bypassing file-based detections.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as establishing persistence, stealing credentials, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of consequences, including malware infection, data theft, and system compromise. The impact can vary depending on the attacker\u0026rsquo;s objectives, but it can result in significant financial losses, reputational damage, and disruption of business operations. While specific numbers of victims are not listed, this technique is widely used and can affect any organization that does not adequately monitor and restrict the use of Mshta.exe. The sectors targeted are broad, as this is a general-purpose technique applicable to various environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and monitor for Mshta.exe spawning suspicious child processes to enable the \u0026ldquo;Suspicious Microsoft HTML Application Child Process\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect Mshta.exe spawning cmd.exe, powershell.exe, certutil.exe, bitsadmin.exe, curl.exe, msiexec.exe, schtasks.exe, reg.exe, wscript.exe, or rundll32.exe to detect potential defense evasion.\u003c/li\u003e\n\u003cli\u003eExamine \u003ccode\u003eprocess.command_line\u003c/code\u003e and \u003ccode\u003eprocess.parent.command_line\u003c/code\u003e for suspicious arguments and file paths to further investigate potential malicious use of Mshta.\u003c/li\u003e\n\u003cli\u003eMonitor for executables running from user directories using the Sigma rule provided to identify potentially malicious processes spawned by Mshta.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate the parent process of Mshta.exe to determine the initial source of the HTA execution, focusing on browsers, email clients, and other potential delivery mechanisms.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules for your environment to reduce false positives and ensure accurate detection of malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-mshta-suspicious-child/","summary":"Mshta.exe spawning a suspicious child process, such as cmd.exe or powershell.exe, indicates potential adversarial activity leveraging Mshta to execute malicious scripts and evade detection on Windows systems.","title":"Suspicious Microsoft HTML Application Child Process","url":"https://feed.craftedsignal.io/briefs/2024-01-mshta-suspicious-child/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to evade detection by masquerading as legitimate system processes, specifically \u003ccode\u003esvchost.exe\u003c/code\u003e. The \u003ccode\u003esvchost.exe\u003c/code\u003e process is a critical component of the Windows operating system, responsible for hosting multiple Windows services. By naming a malicious executable \u003ccode\u003esvchost.exe\u003c/code\u003e and placing it in a non-standard directory, attackers aim to blend in with normal system activity and bypass security controls that rely on process names or paths. This technique is particularly effective because \u003ccode\u003esvchost.exe\u003c/code\u003e is a common and trusted process, making it less likely to be scrutinized by users or security software. This detection focuses on identifying processes named \u003ccode\u003esvchost.exe\u003c/code\u003e that are not running from the legitimate Windows system directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable disguised as \u003ccode\u003esvchost.exe\u003c/code\u003e to a non-standard directory, such as \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious \u003ccode\u003esvchost.exe\u003c/code\u003e process from the non-standard location.\u003c/li\u003e\n\u003cli\u003eThe masquerading process attempts to mimic legitimate \u003ccode\u003esvchost.exe\u003c/code\u003e behavior to avoid suspicion.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003esvchost.exe\u003c/code\u003e process may establish network connections to external command-and-control servers.\u003c/li\u003e\n\u003cli\u003eThe process may execute malicious payloads, such as downloading additional malware or performing lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to access sensitive data or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence on the system to ensure continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful masquerading attack can lead to undetected execution of malicious code, allowing attackers to compromise systems, steal data, or establish persistent access. Because the malicious process is disguised as a legitimate system component, it may evade detection by traditional security measures. This can result in significant damage to the affected organization, including data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to capture the execution of processes, including their names and paths.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Svchost Masquerading\u0026rdquo; to detect \u003ccode\u003esvchost.exe\u003c/code\u003e processes running from non-standard locations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the \u003ccode\u003esvchost.exe\u003c/code\u003e process and its activities.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to system files, including the \u003ccode\u003esvchost.exe\u003c/code\u003e executable in the system directories.\u003c/li\u003e\n\u003cli\u003eUse application control lists (ACLs) to restrict the execution of executables from non-standard directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-svchost-masquerading/","summary":"Attackers may attempt to masquerade as the Service Host process `svchost.exe` by executing from non-standard paths to evade detection and blend in with normal system activity.","title":"Potential Masquerading as Svchost","url":"https://feed.craftedsignal.io/briefs/2024-01-svchost-masquerading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a suspicious technique where an attacker renames the COMSVCS.DLL, a legitimate Windows component, and then loads it using \u003ccode\u003erundll32.exe\u003c/code\u003e. COMSVCS.DLL contains the MiniDumpWriteDump function, which can be used to create a memory dump of a running process. Attackers abuse this technique to dump the LSASS process memory, where credentials are often stored, while attempting to bypass traditional command-line monitoring that might detect direct use of MiniDumpWriteDump. The renaming of the DLL is a defense evasion tactic to avoid detection based on the DLL\u0026rsquo;s original name. This activity is a strong indicator of potential credential access and requires immediate investigation. The rule specifically looks for renamed COMSVCS.DLL with a matching original filename or imphash being loaded by \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the legitimate COMSVCS.DLL to a new location on the disk, often a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the copied COMSVCS.DLL to an arbitrary name to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to load the renamed COMSVCS.DLL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erundll32.exe\u003c/code\u003e process executes the MiniDumpWriteDump function exported by the renamed COMSVCS.DLL.\u003c/li\u003e\n\u003cli\u003eThe MiniDumpWriteDump function targets the LSASS process, creating a memory dump file.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the LSASS memory dump file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential extraction tools to obtain credentials from the dumped LSASS memory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack chain can lead to the compromise of sensitive credentials stored in LSASS memory, including domain administrator accounts. This allows the attacker to move laterally within the network, gain access to critical systems, and potentially exfiltrate sensitive data or deploy ransomware. The impact is high due to the potential for widespread compromise and data breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon image load logging (Event ID 7) to detect the loading of DLLs, which is essential for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Credential Access via Renamed COM+ Services DLL\u0026rdquo; Sigma rule to your SIEM to identify instances of renamed COMSVCS.DLL being loaded by \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for \u003ccode\u003erundll32.exe\u003c/code\u003e processes loading DLLs from unusual locations, as this could indicate malicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process that loaded the renamed DLL and any subsequent activity.\u003c/li\u003e\n\u003cli\u003eUse the IOC (MD5 hash of COMSVCS.DLL imphash: EADBCCBB324829ACB5F2BBE87E5549A8) to search for instances of COMSVCS.DLL copies on your systems.\u003c/li\u003e\n\u003cli\u003eEnforce strict access control policies to prevent unauthorized users from copying and renaming system DLLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-renamed-comsvcs/","summary":"Detection of renamed COMSVCS.DLL being loaded by rundll32.exe, potentially used to dump LSASS memory for credential access while evading command-line detection.","title":"Potential Credential Access via Renamed COM+ Services DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-comsvcs/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild","Elastic Defend","Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies potential credential access attempts leveraging the Microsoft Build Engine (MSBuild). Attackers may abuse MSBuild, a legitimate developer tool, to load malicious DLLs related to Windows credential management, such as \u003ccode\u003evaultcli.dll\u003c/code\u003e or \u003ccode\u003eSAMLib.dll\u003c/code\u003e. This technique enables credential dumping by a trusted Windows utility, making it harder to detect. The rule focuses on detecting the loading of these specific DLLs by MSBuild processes. The rule relies on data from Elastic Defend and Sysmon logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker places a malicious \u003ccode\u003e.csproj\u003c/code\u003e file or a DLL designed to load credential management DLLs on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eMSBuild.exe\u003c/code\u003e to process the malicious project file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eMSBuild.exe\u003c/code\u003e loads the attacker-controlled DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled DLL loads either \u003ccode\u003evaultcli.dll\u003c/code\u003e or \u003ccode\u003eSAMLib.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe loaded DLLs are used to dump credentials from the system.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the dumped credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials for lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive credentials stored on the affected system. This can allow attackers to move laterally within the network, access confidential data, and potentially compromise entire domains. The impact ranges from data breaches to complete system compromise, depending on the privileges of the compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMSBuild Loads Credential Management DLL\u003c/code\u003e to your SIEM, tuned for your specific environment, to detect instances of MSBuild loading \u003ccode\u003evaultcli.dll\u003c/code\u003e or \u003ccode\u003eSAMLib.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event ID 7 (Image Loaded) logging with the appropriate configurations to capture DLL loading events.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild loading \u003ccode\u003evaultcli.dll\u003c/code\u003e or \u003ccode\u003eSAMLib.dll\u003c/code\u003e from unusual or unexpected locations using the guidance in the rule note.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-msbuild-credential-dumping/","summary":"The detection rule identifies a potential credential access attempt via the trusted developer utility MSBuild by detecting instances where it loads DLLs associated with Windows credential management, specifically vaultcli.dll or SAMLib.DLL, which is often used for credential dumping.","title":"Potential Credential Access via MSBuild Loading Credential Management DLLs","url":"https://feed.craftedsignal.io/briefs/2024-01-02-msbuild-credential-dumping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","proxy-execution","msiexec"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMsiexec.exe is the command-line utility for the Windows Installer, commonly used to execute installation packages (.msi). Attackers are known to abuse msiexec.exe to proxy the execution of arbitrary DLLs, a technique that helps bypass application control and evade detection. This approach leverages the trusted nature of msiexec.exe to execute malicious code, making it harder for security tools to identify and block the activity. The abuse of msiexec.exe has been observed in various attack campaigns, highlighting the need for defenders to monitor its usage closely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, often through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious DLL to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses msiexec.exe with the \u003ccode\u003e/Y\u003c/code\u003e flag to execute the malicious DLL. This flag is used to trigger DLL execution via msiexec.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe loads and executes the malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing persistence, escalating privileges, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the proxy execution through msiexec.exe to evade detection by security tools monitoring process execution.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems or begins data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the targeted system, potentially leading to a full system compromise. This can result in data breaches, financial loss, and reputational damage. The technique is particularly effective at bypassing application control solutions, increasing the likelihood of a successful attack. While specific victim counts are unavailable, the widespread use of Windows Installer makes this a relevant threat across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Msiexec Execute Arbitrary DLL\u003c/code\u003e to your SIEM to detect the execution of msiexec.exe with the \u003ccode\u003e/Y\u003c/code\u003e flag, indicative of potential malicious DLL execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of msiexec.exe executing DLLs from unusual or temporary locations.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of msiexec.exe to authorized users and legitimate installation processes.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe to identify suspicious command-line arguments and parent processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-msiexec-dll-execution/","summary":"Adversaries may abuse the msiexec.exe utility to proxy the execution of malicious DLL payloads, bypassing application control and other defenses.","title":"Msiexec Arbitrary DLL Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-msiexec-dll-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["high"],"_cs_tags":["credential-access","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe WDigest security provider is a legacy authentication protocol that, when enabled, stores user passwords in cleartext within LSASS memory. Modern Windows versions (8.1+ and Server 2012 R2+) disable this behavior by default. Attackers can modify the \u003ccode\u003eUseLogonCredential\u003c/code\u003e registry value under the WDigest configuration to re-enable plaintext credential caching. This manipulation is a common precursor to credential dumping attacks, where tools like Mimikatz are used to extract sensitive information from LSASS. Defenders should monitor for unauthorized modifications to the WDigest configuration to prevent credential theft. The rule provided by Elastic aims to detect these modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system via compromised credentials or exploiting a vulnerability (e.g., phishing or RDP).\u003c/li\u003e\n\u003cli\u003eThe attacker executes code (e.g., PowerShell script or executable) with sufficient privileges to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe malicious code modifies the \u003ccode\u003eUseLogonCredential\u003c/code\u003e registry value under \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\u003c/code\u003e or a similar path.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eUseLogonCredential\u003c/code\u003e value to 1 (or 0x00000001), enabling plaintext storage of credentials.\u003c/li\u003e\n\u003cli\u003eA user logs on to the system, causing their credentials to be stored in cleartext in LSASS memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools like Mimikatz to extract the cleartext passwords from LSASS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement or to access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the WDigest security provider can lead to widespread credential compromise. Attackers can harvest credentials for privileged accounts, enabling them to move laterally within the network, access sensitive resources, and potentially achieve domain dominance. This can result in data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Modification of WDigest Security Provider\u0026rdquo; to your SIEM to detect malicious registry modifications (rule \u003ccode\u003ed703a5af-d5b0-43bd-8ddb-7a5d500b7da5\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the provided Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes modifying registry keys related to WDigest.\u003c/li\u003e\n\u003cli\u003eReview and restrict access control lists (ACLs) on the WDigest registry keys to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process that made the modification, the user context, and any subsequent activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-wdigest-modification/","summary":"The rule detects attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory, which could lead to credential dumping.","title":"Modification of WDigest Security Provider","url":"https://feed.craftedsignal.io/briefs/2024-01-wdigest-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","memory-dump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows process responsible for enforcing security policy and handling user authentication. Attackers often target LSASS to steal credentials for lateral movement and privilege escalation. This detection identifies attempts to access LSASS memory using specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) that are commonly used by tools designed to dump LSASS memory. The rule is designed to be tool-agnostic, detecting the underlying behavior rather than specific tool signatures. It has been validated against various LSASS dumping tools, including SharpDump, Procdump, Mimikatz, and Comsvcs. The rule triggers on Windows systems where handle manipulation is enabled and generates security event logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to an administrative account or SYSTEM, necessary for accessing LSASS memory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a credential dumping tool, such as Mimikatz, SharpDump, or Procdump.\u003c/li\u003e\n\u003cli\u003eThe tool attempts to open a handle to the LSASS process (lsass.exe) with a specific access mask (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) required for memory dumping.\u003c/li\u003e\n\u003cli\u003eWindows Security Event ID 4656 is generated, logging the handle request to the LSASS object.\u003c/li\u003e\n\u003cli\u003eThe tool reads the memory contents of the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe dumped memory is parsed to extract sensitive information, such as passwords, NTLM hashes, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally to other systems or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful LSASS memory dumping allows attackers to steal user credentials, enabling lateral movement and privilege escalation within the network. This can lead to widespread compromise, data breaches, and significant disruption of services. Stolen credentials can be used to access sensitive data, control critical systems, and maintain a persistent presence within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Handle Manipulation to generate the necessary events for this rule to function, as described in the \u003ca href=\"https://ela.st/audit-handle-manipulation\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLSASS Memory Dump Handle Access\u003c/code\u003e to your SIEM and tune the exceptions based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain (parent process tree) to identify the source of the LSASS handle request.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule (WmiPrvSE.exe, dllhost.exe, svchost.exe, msiexec.exe, explorer.exe) and ensure these exclusions are valid for your environment.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to mitigate the impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-lsass-memory-dump/","summary":"This rule detects handle requests for LSASS object access with specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) indicative of memory dumping, commonly employed by tools like SharpDump, Procdump, Mimikatz, and Comsvcs to extract credentials from the LSASS process on Windows systems.","title":"LSASS Memory Dump Handle Access Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-memory-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","windows","access-token-manipulation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Secondary Logon service in Windows allows users to run processes with different credentials, which can be abused to escalate privileges and bypass access controls. This technique involves an adversary successfully authenticating via the seclogon service, typically from the local host, then spawning a new process under the context of this newly acquired, potentially elevated, token. The detection focuses on identifying successful seclogon authentications where the source IP is the loopback address (::1), tied to subsequent process creations sharing the same logon ID. This is a common method for local privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to leverage the Secondary Logon service (seclogon) to create a new process with elevated privileges.\u003c/li\u003e\n\u003cli\u003eA successful logon event is generated, with the LogonProcessName indicating \u0026ldquo;seclogo*\u0026rdquo; and source IP address of \u0026ldquo;::1\u0026rdquo;, and event ID indicating a successful login.\u003c/li\u003e\n\u003cli\u003esvchost.exe is used as the process responsible for calling seclogon.\u003c/li\u003e\n\u003cli\u003eThe system assigns a TargetLogonId to the new logon session.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new process, specifying the TargetLogonId obtained from the previous step.\u003c/li\u003e\n\u003cli\u003eThe new process is launched with the security context of the alternate credentials, potentially granting the attacker elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions using the newly elevated privileges, such as accessing sensitive data or installing malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform actions with elevated privileges, potentially leading to complete system compromise. An attacker can bypass access controls and gain unauthorized access to sensitive resources. If successful, this can lead to data theft, system compromise, or the installation of persistent backdoors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the events required for the rules in this brief (reference: Setup section in the source).\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Process Creation via Secondary Logon\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect potential privilege escalation attempts (reference: Sigma rules below).\u003c/li\u003e\n\u003cli\u003eMonitor for svchost.exe processes initiating secondary logon events from the local loopback address (::1) as an indicator of local privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-secondary-logon-privilege-escalation/","summary":"The rule identifies process creation with alternate credentials, which can be used for privilege escalation, by detecting successful logins via the Secondary Logon service (seclogon) from a local source IP address (::1), followed by process creation using the same TargetLogonId.","title":"Windows Privilege Escalation via Secondary Logon Service","url":"https://feed.craftedsignal.io/briefs/2024-01-secondary-logon-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["windows","PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","obfuscation","defense-evasion","variable-expansion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eThis rule detects PowerShell scripts employing backtick-escaped characters within \u003ccode\u003e${}\u003c/code\u003e variable expansion, a technique used to reconstruct strings at runtime. Attackers leverage variable-expansion obfuscation to split keywords, conceal commands, and bypass static analysis and AMSI (Antimalware Scan Interface). This obfuscation method involves inserting multiple backticks between word characters inside \u003ccode\u003e${}\u003c/code\u003e blocks. Detecting this behavior is crucial as it signifies attempts to evade security measures and potentially execute malicious code on compromised systems. The rule focuses on identifying scripts with a length exceeding 500 characters to minimize false positives and targets PowerShell event code 4104.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a PowerShell script on the target system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script employs backtick-escaped variable expansion (e.g., \u003ccode\u003e$env:use``r``na``me\u003c/code\u003e) to obfuscate its contents.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed using powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe script dynamically reconstructs commands and strings by evaluating the backtick-escaped variables.\u003c/li\u003e\n\u003cli\u003eThe reconstructed commands perform malicious activities, such as downloading additional payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe script attempts to evade detection by AMSI and other security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and control over the compromised system, potentially leading to data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, system compromise, and data theft. While the number of victims is unknown, PowerShell is a common attack vector on Windows environments. The sectors most affected are organizations relying on Windows infrastructure without adequate PowerShell monitoring and security controls. Failure to detect and prevent this technique allows attackers to bypass security measures and gain unauthorized access to sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate event code 4104. (Reference: Setup section)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Backtick Variable Obfuscation\u003c/code\u003e to identify scripts using backtick-escaped variable expansion.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on scripts with a high \u003ccode\u003eEsql.script_block_pattern_count\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eMonitor for process creation events where powershell.exe executes obfuscated commands as detected by the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Encoded Commands\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview PowerShell logs for event code 4104 and examine \u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e for suspicious patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-powershell-backtick-obfuscation/","summary":"PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.","title":"PowerShell Obfuscation via Backtick-Escaped Variable Expansion","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-backtick-obfuscation/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows","version":"https://jsonfeed.org/version/1.1"}