{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/severities/low/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Intune Management Extension","Azure AD Connect Health Agent","Windows Defender Advanced Threat Protection"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently employ PowerShell obfuscation techniques to evade detection and hinder analysis. These techniques involve encoding, encrypting, or compressing PowerShell scripts to mask their true intent. This detection identifies PowerShell script blocks exhibiting high entropy and non-uniform character distributions, statistical characteristics often associated with obfuscated content. The rule specifically targets script blocks longer than 1000 characters with entropy bits \u0026gt;= 5.5 and surprisal standard deviation \u0026gt; 0.7. This detection is designed to highlight potentially malicious PowerShell activity that warrants further investigation by security analysts and incident responders. This rule was created by Elastic and last updated on May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell, a built-in Windows scripting language, to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses obfuscation techniques (encoding, encryption, compression) to disguise the PowerShell script\u0026rsquo;s true intent.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed, bypassing basic signature-based detections.\u003c/li\u003e\n\u003cli\u003eThe script may download and execute additional payloads or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using obfuscated PowerShell can lead to various negative impacts, including data breaches, system compromise, and disruption of services. The low severity reflects the need for further analysis to confirm malicious intent, given potential false positives from legitimate encoded scripts. While the exact number of affected systems and sectors is unknown, the widespread use of PowerShell makes this a potentially significant threat across many organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events (4104) as outlined in the setup instructions: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the thresholds (\u003ccode\u003epowershell.file.script_block_length\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_entropy_bits\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_surprisal_stdev\u003c/code\u003e) based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on execution context (\u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003ehost.name\u003c/code\u003e), script provenance (\u003ccode\u003efile.path\u003c/code\u003e), and reconstructed script content (\u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section for detailed triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:49:36Z","date_published":"2026-05-04T14:49:36Z","id":"/briefs/2026-06-high-entropy-powershell/","summary":"This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.","title":"Potential PowerShell Obfuscated Script via High Entropy","url":"https://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["low"],"_cs_tags":["defense evasion","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Sysinternals SDelete utility is a legitimate tool developed by Microsoft for securely deleting files by overwriting and renaming them multiple times. While intended for secure data disposal, adversaries can abuse SDelete to remove forensic artifacts, destroy evidence of their activities, and impede data recovery efforts after a successful ransomware attack or data theft. This activity can be used as a post-exploitation technique. This detection rule focuses on identifying file name patterns indicative of SDelete\u0026rsquo;s operation, specifically detecting files with names resembling \u0026ldquo;*AAA.AAA\u0026rdquo;. The rule is designed to work with various endpoint detection and response solutions, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and CrowdStrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain the necessary permissions to delete files.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or utilizes an existing copy of the SDelete utility.\u003c/li\u003e\n\u003cli\u003eThe attacker executes SDelete against targeted files or directories.\u003c/li\u003e\n\u003cli\u003eSDelete overwrites the targeted file(s) multiple times with random data.\u003c/li\u003e\n\u003cli\u003eSDelete renames the file(s) multiple times, often with patterns such as \u0026ldquo;*AAA.AAA\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eSDelete deletes the file(s) making recovery difficult.\u003c/li\u003e\n\u003cli\u003eThe attacker removes SDelete or any associated tools to further cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can result in the permanent deletion of crucial forensic artifacts, log files, or even critical data. This can severely hinder incident response efforts, making it challenging to identify the scope of the attack, the attacker\u0026rsquo;s methods, and the compromised assets. The number of victims and affected sectors depends on the scale of the initial breach and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Secure File Deletion via SDelete Utility\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule, focusing on the process execution chain and identifying the user account involved.\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to the user account to ensure the least privilege principle is followed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to enhance visibility into file creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-28-sdelete-filename-rename/","summary":"This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.","title":"Potential Secure File Deletion via SDelete Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-28-sdelete-filename-rename/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Installer"],"_cs_severities":["low"],"_cs_tags":["msiexec","remote-file-execution","initial-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a built-in Windows component used for installing, modifying, and removing software. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files, bypassing security controls and potentially leading to initial access or defense evasion. This activity is often part of a broader attack chain, used to deliver and execute malicious payloads. The detection rule provided by Elastic identifies suspicious msiexec.exe activity by monitoring process starts, network connections, and child processes. It filters out known benign signatures and paths to highlight potential misuse. This detection is designed to work with Elastic Defend data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via phishing (T1566) or other means to execute commands on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses msiexec.exe with the \u003ccode\u003e/V\u003c/code\u003e parameter to initiate the installation of a remote MSI package. This allows the attacker to bypass typical execution restrictions.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe attempts a network connection (T1105) to retrieve the remote MSI package from a malicious server.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process to handle the installation of the downloaded MSI package.\u003c/li\u003e\n\u003cli\u003eThe spawned child process executes malicious code embedded within the MSI package.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as installing malware, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system for further lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system and network. While this specific rule has a low risk score, it can be an early indicator of more serious attacks. It is crucial to investigate any alerts generated by this rule to determine the full scope and impact of the potential compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect suspicious usage of \u003ccode\u003emsiexec.exe\u003c/code\u003e to install remote packages. Tune the rule for your environment by adding exceptions for legitimate software installation processes.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and network connection logging on Windows endpoints to provide the necessary data for the Sigma rule to function effectively (Data Source: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;Possible investigation steps\u0026rdquo; section in the Elastic rule\u0026rsquo;s documentation to investigate potential false positives and legitimate uses of \u003ccode\u003emsiexec.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications, including potentially malicious MSI packages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-msiexec-remote-install/","summary":"The rule detects the execution of the built-in Windows Installer, msiexec.exe, to install a remote package potentially abused by adversaries for initial access and defense evasion.","title":"Potential Remote File Execution via MSIEXEC","url":"https://feed.craftedsignal.io/briefs/2026-05-msiexec-remote-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR"],"_cs_severities":["low"],"_cs_tags":["discovery","domain-trust","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003edsquery.exe\u003c/code\u003e utility is a command-line tool in Windows used to query Active Directory. Attackers may leverage \u003ccode\u003edsquery.exe\u003c/code\u003e to discover domain trust relationships within a Windows environment, mapping out potential lateral movement paths. This discovery is often an early stage in reconnaissance, before an attacker attempts to move laterally to other systems. This activity can be detected across various endpoint detection platforms including Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne. This activity is not inherently malicious, as administrators also use it for legitimate purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edsquery.exe\u003c/code\u003e with the argument \u003ccode\u003eobjectClass=trustedDomain\u003c/code\u003e to enumerate domain trusts.\u003c/li\u003e\n\u003cli\u003eThe command execution is logged by endpoint detection and response (EDR) solutions or Windows Security Event Logs.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of the \u003ccode\u003edsquery.exe\u003c/code\u003e command to identify trusted domains and their attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered trust information to plan lateral movement strategies.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to other systems within the trusted domains using stolen credentials or other exploits.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts enables attackers to map out the Active Directory environment and identify potential pathways for lateral movement. While the enumeration itself is low impact, it facilitates subsequent actions like credential theft, privilege escalation, and data exfiltration. This can lead to widespread compromise across the organization, impacting numerous systems and sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Enumerating Domain Trusts via DSQUERY.EXE\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any execution of \u003ccode\u003edsquery.exe\u003c/code\u003e with the argument \u003ccode\u003eobjectClass=trustedDomain\u003c/code\u003e to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003edsquery.exe\u003c/code\u003e to detect suspicious command-line arguments and execution patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-domain-trust-discovery/","summary":"Adversaries may use the `dsquery.exe` command-line utility to enumerate trust relationships for lateral movement in Windows multi-domain environments.","title":"Enumerating Domain Trusts via DSQUERY.EXE","url":"https://feed.craftedsignal.io/briefs/2026-05-domain-trust-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["execution","command-shell","rundll32"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly abuse RunDLL32, a legitimate Windows utility, to execute malicious code by hosting it within DLLs. This technique allows adversaries to launch command shells like cmd.exe or PowerShell, effectively bypassing traditional security controls. Defenders should be aware of this technique because it provides a stealthy way for attackers to execute arbitrary commands, potentially leading to further compromise of the system. This activity is detected by monitoring for command shells initiated by RunDLL32, while excluding known benign patterns to reduce false positives. The detection rule was last updated on 2026/05/04 and supports multiple data sources, including Elastic Defend, Microsoft Defender XDR, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses RunDLL32.exe to execute a malicious DLL.\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe loads the specified DLL into memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL contains code to execute a command shell (cmd.exe or powershell.exe).\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe spawns a command shell process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command shell to execute commands for reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the command shell to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command shell to perform lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the compromised system. While the rule is rated \u0026ldquo;low\u0026rdquo; severity, this initial access can lead to credential access (T1552) and further lateral movement within the network. Attackers can potentially gain full control of the system, leading to data theft, system disruption, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Command Shell Activity Started via RunDLL32\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview the process details of RunDLL32.exe to confirm the parent-child relationship with the command shell, helping to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring for rundll32.exe and related processes to detect similar activities in the future and improve response times.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rundll32-cmd-shell/","summary":"This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.","title":"Command Shell Activity Started via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2026-05-rundll32-cmd-shell/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-30656"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["vulnerability","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn May 3, 2026, Microsoft published a security update guide entry for CVE-2026-30656. At this time, no details regarding the nature of the vulnerability, affected products, or potential impact are available. Defenders should monitor Microsoft\u0026rsquo;s security resources for updates and apply patches as they become available. Due to the limited information, creating targeted detections is currently not possible. More information is required to understand the potential attack vectors and develop effective mitigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the lack of details regarding CVE-2026-30656, a specific attack chain cannot be outlined at this time. The steps below represent a generic exploitation scenario:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Attacker identifies a vulnerable system exposed to the network.\u003c/li\u003e\n\u003cli\u003eExploitation: Attacker leverages CVE-2026-30656 to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: Attacker escalates privileges to gain higher-level access.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Attacker moves laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003ePersistence: Attacker establishes persistent access to the compromised systems.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Attacker exfiltrates sensitive data from the compromised network.\u003c/li\u003e\n\u003cli\u003eImpact: Attacker achieves their objective, such as data theft or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-30656 is currently unknown. Depending on the affected product and the nature of the vulnerability, successful exploitation could lead to a range of outcomes, including remote code execution, denial of service, or information disclosure. Without further details, the potential damage is difficult to assess, but defenders should prioritize monitoring for updates from Microsoft and promptly apply any released patches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-30656\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-30656\u003c/a\u003e) for updates and technical details regarding CVE-2026-30656.\u003c/li\u003e\n\u003cli\u003eWhen details are released, prioritize patching affected systems based on their criticality and exposure.\u003c/li\u003e\n\u003cli\u003eReview existing security controls and incident response plans to ensure they are adequate for addressing potential exploitation attempts targeting Microsoft products.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T07:52:20Z","date_published":"2026-05-03T07:52:20Z","id":"/briefs/2024-01-cve-2026-30656-info-published/","summary":"Microsoft published information regarding CVE-2026-30656, but the details of the vulnerability are not available.","title":"Microsoft CVE-2026-30656 Information Published","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-30656-info-published/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS S3","AWS CloudTrail"],"_cs_severities":["low"],"_cs_tags":["aws","s3","cloudtrail","discovery","enumeration","reconnaissance"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief covers suspicious activity related to the rapid enumeration of AWS S3 buckets. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs from the same source IP address within a short timeframe. This pattern is often associated with reconnaissance efforts, security scanning tools, or post-compromise enumeration activities. The behavior is similar to that observed with CSPM tools and by threat actors like Team PCP. The detection specifically excludes AWS service principals and requires programmatic-style sessions (i.e., not Management Console credentials). It focuses on scenarios where resource and identity fields are populated to avoid skewed results from null values. The detection threshold is set to greater than 15 distinct \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e values within a 10-second window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment using compromised credentials or through an exposed IAM role. (T1530)\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to AWS using the obtained credentials, creating a programmatic session.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a series of \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPublicAccessBlock\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e, \u003ccode\u003eGetBucketPolicyStatus\u003c/code\u003e, and \u003ccode\u003eGetBucketVersioning\u003c/code\u003e API calls to S3.\u003c/li\u003e\n\u003cli\u003eThese API calls are directed towards multiple distinct S3 buckets within a short timeframe (10 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker collects information about the bucket\u0026rsquo;s access control lists (ACLs), public access blocks, policies, versioning status, and other metadata. (T1526, T1580, T1619)\u003c/li\u003e\n\u003cli\u003eThe collected information is analyzed to identify publicly accessible buckets, misconfigurations, or sensitive data storage locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses identified vulnerabilities to exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement within the AWS environment, leveraging the discovered information to compromise other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of S3 buckets can lead to the discovery of sensitive data, misconfigurations, and publicly accessible resources. This can result in data breaches, unauthorized access, and further compromise of the AWS environment. The enumeration allows an attacker to map out the S3 storage landscape, identifying targets for data exfiltration or privilege escalation. The rapid nature of the enumeration suggests automated scanning or reconnaissance, potentially indicating a larger attack campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect rapid S3 bucket enumeration activity based on AWS CloudTrail logs, adjusting the threshold of 15 distinct buckets to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address (\u003ccode\u003esource.ip\u003c/code\u003e), AWS principal ARN (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e), and the list of accessed buckets (\u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with the identified principal to ensure least privilege for S3 read APIs.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for related events, such as \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, \u003ccode\u003eAssumeRole\u003c/code\u003e, or IAM changes, occurring within ±30 minutes of the detected enumeration activity.\u003c/li\u003e\n\u003cli\u003eImplement network-level restrictions on the source IP address if it is not authorized to perform S3 enumeration.\u003c/li\u003e\n\u003cli\u003eDocument approved scanning accounts and add user agent filters to the provided Sigma rule to reduce noise from those identities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T19:43:38Z","date_published":"2026-05-01T19:43:38Z","id":"/briefs/2024-01-aws-s3-bucket-discovery/","summary":"An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.","title":"Rapid Enumeration of AWS S3 Buckets","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-s3-bucket-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","cloudtrail","discovery"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious AWS reconnaissance activity originating from the AWS CLI. It triggers when a single AWS identity (IAM user, role, or service principal) makes more than five unique discovery-related API calls (such as \u003ccode\u003eDescribe*\u003c/code\u003e, \u003ccode\u003eList*\u003c/code\u003e, \u003ccode\u003eGet*\u003c/code\u003e, or \u003ccode\u003eGenerate*\u003c/code\u003e) within a 10-second window. The rule is designed to detect adversaries attempting to map out an AWS environment after gaining unauthorized access through compromised credentials or a compromised EC2 instance. The tool focuses on API calls related to key AWS services like EC2, IAM, S3, and KMS. This rule helps defenders identify and respond to early-stage reconnaissance activity, preventing further exploitation or data exfiltration. The rule excludes activity from AWS service accounts and the AWS Management Console, and it requires a minimum stack version of 9.2.0 with AWS integration version 4.6.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains access to an AWS environment, potentially through compromised credentials or by compromising an EC2 instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Usage:\u003c/strong\u003e The attacker leverages the AWS CLI to interact with the AWS environment using the compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker initiates a series of discovery API calls to gather information about the AWS infrastructure. This includes using \u003ccode\u003eDescribe*\u003c/code\u003e, \u003ccode\u003eList*\u003c/code\u003e, \u003ccode\u003eGet*\u003c/code\u003e, and \u003ccode\u003eGenerate*\u003c/code\u003e commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Enumeration:\u003c/strong\u003e The attacker enumerates various AWS resources, including EC2 instances, IAM roles, S3 buckets, and KMS keys, by querying their respective APIs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Identification:\u003c/strong\u003e The attacker analyzes the gathered information to identify potential targets for further exploitation, such as vulnerable EC2 instances or misconfigured S3 buckets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the compromised credentials have limited permissions, the attacker might attempt to escalate privileges to gain broader access to the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker might attempt to move laterally to other AWS accounts or services to expand their reach and impact.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e Based on the attacker\u0026rsquo;s goals, they may attempt to exfiltrate sensitive data or cause disruption by modifying or deleting resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive data, such as customer information, intellectual property, or financial records. The attacker could also disrupt business operations by modifying or deleting critical resources. Identifying and responding to such activity in a timely manner can help prevent significant damage and maintain the security and integrity of the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to your SIEM and tune for your environment to detect the described reconnaissance activity.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions and accounts in your organization to ensure the required logs are available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the affected AWS identity, the source IP address, and the specific API calls made (as captured by the Sigma rule).\u003c/li\u003e\n\u003cli\u003eIf suspicious activity is confirmed, follow AWS\u0026rsquo;s incident-handling guidance, including disabling or rotating the access key used and restricting outbound connectivity from the source (reference the AWS Security Incident Response Guide).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T19:43:38Z","date_published":"2026-05-01T19:43:38Z","id":"/briefs/2024-11-aws-discovery-api-calls/","summary":"This rule detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI, potentially indicating reconnaissance activity following credential compromise or compromised EC2 instance access.","title":"AWS Discovery API Calls via CLI from a Single Resource","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cve","vulnerability","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 23, 2026, Microsoft released a security advisory indicating the existence of CVE-2026-35236.\nAt the time of the advisory, no details were provided regarding the nature of the vulnerability,\naffected products, potential impact, or mitigation strategies. This lack of information makes it\ndifficult to assess the immediate risk, but the existence of a CVE ID suggests the potential for\nfuture exploitation. Defenders should monitor for updates from Microsoft regarding CVE-2026-35236\nand prepare to implement patches or mitigations as they become available. The absence of specific\ninformation at this stage necessitates a proactive monitoring approach to detect any potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Disclosure:\u003c/strong\u003e Microsoft publishes the CVE ID CVE-2026-35236 without any details.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Gathering (Attacker):\u003c/strong\u003e Attackers monitor Microsoft\u0026rsquo;s channels and other sources for further information on CVE-2026-35236.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Analysis (Attacker):\u003c/strong\u003e Once details are released (hypothetically), attackers analyze the vulnerability to develop an exploit.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Development (Attacker):\u003c/strong\u003e An exploit is created, potentially leveraging publicly available tools or custom-developed code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Selection (Attacker):\u003c/strong\u003e Attackers identify vulnerable systems based on the (currently unknown) affected product.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation Attempt (Attacker):\u003c/strong\u003e The exploit is deployed against the target system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Attacker):\u003c/strong\u003e (Hypothetical) If the initial exploit doesn\u0026rsquo;t provide sufficient privileges, further steps are taken to escalate privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Attacker):\u003c/strong\u003e (Hypothetical) Depending on the vulnerability, the impact could range from remote code execution to denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe current impact is unknown due to the lack of information about the vulnerability associated with CVE-2026-35236.\nIf the vulnerability is severe and widely exploitable, successful attacks could lead to data breaches, system compromise,\nor denial of service. The number of potential victims and affected sectors will depend on the affected product and its deployment scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eContinuously monitor the Microsoft Security Response Center for updates regarding CVE-2026-35236 (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35236)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35236)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eOnce Microsoft releases details on CVE-2026-35236, prioritize patching or implementing recommended mitigations.\u003c/li\u003e\n\u003cli\u003eDeploy generic detection rules to identify exploitation attempts based on unusual network activity or suspicious process creation.\u003c/li\u003e\n\u003cli\u003eReview existing security controls and ensure they are up-to-date to protect against potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:47:28Z","date_published":"2026-04-23T07:47:28Z","id":"/briefs/2024-05-cve-2026-35236-info-published/","summary":"Microsoft has published information regarding CVE-2026-35236, but no details about the vulnerability or its exploitation are currently available.","title":"Microsoft CVE-2026-35236 Information Published","url":"https://feed.craftedsignal.io/briefs/2024-05-cve-2026-35236-info-published/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","s3","reconnaissance"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief details detection of rapid enumeration of AWS S3 bucket configurations. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs across numerous buckets within a short timeframe. This pattern is consistent with automated reconnaissance, security scanning, or post-compromise enumeration. The activity is detected by monitoring AWS CloudTrail logs for specific API calls such as \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPublicAccessBlock\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e, \u003ccode\u003eGetBucketPolicyStatus\u003c/code\u003e, and \u003ccode\u003eGetBucketVersioning\u003c/code\u003e. The detection logic excludes AWS service principals and sessions using Management Console credentials to reduce false positives. This activity is relevant for defenders as it can signal early-stage reconnaissance by threat actors like Team PCP, or unauthorized data discovery within the AWS environment. The rule uses a threshold of 15 distinct buckets accessed within 10 seconds to identify suspicious behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to AWS credentials, possibly through compromised credentials or misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired credentials to authenticate to the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or tool that calls multiple S3 APIs (e.g., \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e) to gather information about S3 buckets.\u003c/li\u003e\n\u003cli\u003eThe tool iterates through a list of buckets, querying the configuration of each.\u003c/li\u003e\n\u003cli\u003eThe attacker collects the responses from the S3 API calls, mapping out bucket names, permissions, and access control lists.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the collected data to identify potentially sensitive data or misconfigured buckets.\u003c/li\u003e\n\u003cli\u003eBased on the findings, the attacker may proceed to exfiltrate data from accessible buckets (T1530).\u003c/li\u003e\n\u003cli\u003eThe attacker may also attempt to modify bucket policies or access controls to gain further access or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance of S3 bucket configurations allows attackers to identify vulnerable buckets, potentially leading to data breaches or unauthorized access to sensitive information. The source material does not provide specific victim counts or sectors. However, the impact can range from exposure of confidential data to full compromise of the AWS environment, depending on the level of access gained and the sensitivity of the data stored in the targeted buckets. Identifying the activity early can prevent further exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect rapid S3 bucket posture API calls (see: \u0026ldquo;AWS S3 Rapid Bucket Enumeration\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eReview IAM policies and enforce least privilege on S3 read APIs to limit the scope of potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for the same \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.ip\u003c/code\u003e within approximately ±30 minutes for follow-on patterns such as \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, or \u003ccode\u003eAssumeRole\u003c/code\u003e activities (see Overview).\u003c/li\u003e\n\u003cli\u003eRotate or disable keys for the affected identity, revoke active role sessions where possible, and restrict the source IP at the network layer if it is not authorized (see Overview).\u003c/li\u003e\n\u003cli\u003eWhitelist approved scanning accounts and tune the Sigma rule to reduce noise from those identities (see Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-aws-s3-reconnaissance/","summary":"An AWS principal rapidly enumerates S3 bucket configurations using read-only APIs, potentially indicating reconnaissance activity by security scanners, CSPM tools, or malicious actors performing post-compromise enumeration.","title":"AWS S3 Rapid Bucket Posture API Calls Indicate Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2026-04-aws-s3-reconnaissance/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","ssm","execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis rule identifies when an AWS Systems Manager (SSM) command document is created by a user or role who does not typically perform this action. The rule focuses on detecting anomalous creation of SSM command documents. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, and data exfiltration. The rule utilizes AWS CloudTrail logs to monitor the \u003ccode\u003eCreateDocument\u003c/code\u003e API call within the SSM service. This activity is flagged when the user or role creating the document deviates from established patterns, indicating a potential security risk. This detection is relevant for organizations using AWS SSM for managing their infrastructure and aims to prevent unauthorized command execution on managed instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new SSM Command document using the \u003ccode\u003eCreateDocument\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCreateDocument\u003c/code\u003e API call is logged by AWS CloudTrail with details about the user identity, request parameters, and document description.\u003c/li\u003e\n\u003cli\u003eThe detection rule analyzes CloudTrail logs, specifically looking for the \u003ccode\u003eCreateDocument\u003c/code\u003e event with a document type of \u003ccode\u003eCommand\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe rule identifies the user or role associated with the \u003ccode\u003eCreateDocument\u003c/code\u003e API call by inspecting the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eIf the user or role is considered rare or unusual for creating SSM Command documents within the organization, the rule triggers an alert.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use the created document to execute arbitrary commands on managed instances.\u003c/li\u003e\n\u003cli\u003eSuccessful execution of these commands leads to various impacts, including unauthorized access, command and control, data exfiltration, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this technique can lead to unauthorized access to AWS resources, potentially affecting all systems managed by AWS SSM in the targeted environment. The creation of malicious SSM command documents can lead to data exfiltration, system compromise, or denial of service. If successful, this can impact hundreds or thousands of systems depending on the scope of AWS SSM usage in the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS SSM Command Document Created by Rare User\u0026rdquo; to your SIEM, ensuring proper indexing of CloudTrail logs (index = [\u0026ldquo;filebeat-*\u0026rdquo;, \u0026ldquo;logs-aws.cloudtrail-*\u0026rdquo;]).\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eaws.cloudtrail.request_parameters.content\u003c/code\u003e field in the CloudTrail logs for any suspicious commands within the created SSM document.\u003c/li\u003e\n\u003cli\u003eRestrict SSM document creation permissions to specific, trusted roles or users to prevent unauthorized document creation as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eSendCommand\u003c/code\u003e API call related to the created SSM document to see if it is used to execute commands on managed instances, as described in the triage section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T16:27:52Z","date_published":"2026-04-10T16:27:52Z","id":"/briefs/2024-11-aws-ssm-rare-user/","summary":"An AWS Systems Manager (SSM) command document creation by a user or role who does not typically perform this action, which can lead to unauthorized access, command and control, or data exfiltration.","title":"AWS SSM Command Document Created by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-ssm-rare-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["kubernetes","credential-access","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies instances where Kubernetes secrets are accessed through atypical means, specifically flagging requests originating from unusual user agents, usernames, or source IPs. The underlying assumption is that after compromising a pod or stealing a kubeconfig file, adversaries often attempt to harvest sensitive information stored as secrets within the Kubernetes cluster. This includes service account tokens, registry credentials, cloud keys, and other critical data. This activity can lead to privilege escalation and lateral movement within the cluster or the wider cloud environment. The rule focuses on identifying deviations from established access patterns to Kubernetes secrets to detect potentially malicious activity. The rule leverages data from kubernetes.audit_logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to the Kubernetes cluster, potentially by exploiting a vulnerability in a pod or by stealing a kubeconfig file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates available resources within the cluster to identify potential targets, including secrets. This might involve using \u003ccode\u003ekubectl get secrets --all-namespaces\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The attacker attempts to access Kubernetes secrets using an unusual user agent, source IP, or user name. For example, using \u003ccode\u003ecurl\u003c/code\u003e from a compromised pod to access the Kubernetes API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker retrieves the contents of the secrets. Secrets might contain service account tokens, registry credentials, cloud IAM keys, database passwords, etc.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With stolen credentials, the attacker attempts to move laterally within the cluster or the connected cloud environment. They might use the credentials to access other pods, services, or cloud resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker uses the stolen credentials to escalate their privileges within the Kubernetes cluster or the cloud environment. For example, creating new roles or role bindings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating backdoors or modifying existing deployments. This might involve creating new pods or modifying existing deployments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, such as data theft, denial of service, or infrastructure compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data stored within Kubernetes secrets. This could include database credentials, API keys, and service account tokens. The impact can range from unauthorized access to sensitive data, to complete compromise of the Kubernetes cluster and the connected cloud environment. This can affect any organization using Kubernetes to manage their applications, potentially leading to data breaches, service disruptions, and financial losses. The severity depends on the sensitivity of the data stored in the compromised secrets and the level of access the attacker gains.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes Secret Access via Unusual User Agent\u003c/code\u003e to your SIEM and tune for your environment to detect unusual access patterns to Kubernetes secrets.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any alerts generated by the deployed Sigma rule, focusing on the requesting identity, source IP, and user agent to confirm whether they align with approved access records.\u003c/li\u003e\n\u003cli\u003eImplement RBAC least privilege to limit access to secrets to only the required service accounts and users to minimize the potential impact of credential theft.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs (\u003ccode\u003elogs-kubernetes.audit_logs-*\u003c/code\u003e) for suspicious activity, including unusual API calls and access patterns to sensitive resources.\u003c/li\u003e\n\u003cli\u003eRegularly rotate secrets and credentials to minimize the window of opportunity for attackers to use stolen credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T12:05:33Z","date_published":"2026-04-06T12:05:33Z","id":"/briefs/2024-01-09-kubernetes-secret-access/","summary":"Detects unusual access to Kubernetes secrets, potentially indicating an attacker attempting to steal sensitive information after gaining initial access to the cluster.","title":"Kubernetes Secret Access via Unusual User Agent","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kubernetes-secret-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["azure","cloud","anomaly-detection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies Azure Activity Logs activity originating from a city that is atypical for the specific event action being performed. The underlying mechanism is a machine learning job, \u003ccode\u003eazure_activitylogs_rare_event_action_for_a_city_ea\u003c/code\u003e, designed to surface anomalous geolocation patterns. The rule is triggered when the anomaly score exceeds 50. Such deviations can indicate compromised credentials used by an attacker operating from a different geography than the authorized user. This activity can be an early indicator of account abuse, potentially preceding broader impact such as data exfiltration or resource exploitation. The rule is designed to be used with Elastic Stack version 9.4.0 and later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains valid Azure credentials (username/password or service principal keys) through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker uses the compromised credentials to log in to the Azure environment from an unusual geographic location (city).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivity Log Generation:\u003c/strong\u003e The login and subsequent actions generate Azure Activity Logs entries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access/Modification:\u003c/strong\u003e The attacker performs actions such as adding privileged role assignments, creating virtual machines, modifying network configurations, or accessing Key Vault secrets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Potential):\u003c/strong\u003e The attacker may use the initially compromised account to discover and access other resources or accounts within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Resource Exploitation (Potential):\u003c/strong\u003e The attacker exfiltrates sensitive data or uses compromised resources for malicious purposes like cryptocurrency mining.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, modification of critical infrastructure, and deployment of malicious resources within the Azure environment. The impact can range from data breaches and financial losses to disruption of services. While the risk score of this detection is low, further investigation is required to determine the extent and nature of the malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the associated Machine Learning job (\u003ccode\u003eazure_activitylogs_rare_event_action_for_a_city_ea\u003c/code\u003e) and ensure that the Azure Activity Logs integration is properly configured to provide the necessary data.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field to understand possible investigation steps, including validating user presence in the region and enriching the source IP.\u003c/li\u003e\n\u003cli\u003eImplement response and remediation steps outlined in the rule \u003ccode\u003enote\u003c/code\u003e field such as revoking active sessions, resetting passwords, and reverting changes executed from the unusual city.\u003c/li\u003e\n\u003cli\u003eConfigure Conditional Access policies with country allowlists and named egress IP ranges, as recommended in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field, to prevent logins from unexpected locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:35:13Z","date_published":"2026-04-02T13:35:13Z","id":"/briefs/2026-06-unusual-azure-city/","summary":"A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the event action, indicating potential compromised credentials.","title":"Unusual City for Azure Activity Logs Event","url":"https://feed.craftedsignal.io/briefs/2026-06-unusual-azure-city/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["credential-access","defense-evasion","brute-force","password-spraying"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert triggers when an Elastic machine learning job identifies a significant spike in successful authentication events originating from a specific source IP address. The underlying cause may range from legitimate administrative activity to malicious attempts at credential compromise, such as password spraying, user enumeration, or brute force attacks. The rule requires a minimum Elastic Stack version of 9.4.0 and relies on data ingested via Elastic Defend, Auditd Manager, or the System integration. The machine learning job associated with this rule is named \u0026ldquo;auth_high_count_logon_events_for_a_source_ip_ea\u0026rdquo;. While build servers and CI systems can trigger this alert as false positives, its presence should always prompt investigation to rule out credential compromise attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a network or system (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: The attacker attempts to gather valid credentials through password spraying or brute-force attacks (T1110, T1110.003).\u003c/li\u003e\n\u003cli\u003eAccount Discovery: The attacker enumerates user accounts to identify potential targets, often performed in conjunction with password attacks.\u003c/li\u003e\n\u003cli\u003eSuccessful Authentication: Using compromised credentials, the attacker successfully authenticates to a system or service (T1078, T1078.002, T1078.003).\u003c/li\u003e\n\u003cli\u003eLateral Movement: After successful authentication, the attacker potentially moves laterally within the network using valid accounts (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may attempt to escalate privileges to gain higher-level access (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Impact: After gaining sufficient access, the attacker may exfiltrate sensitive data or cause damage to the system or network (not explicitly described in source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, systems, and services. The number of affected users and the extent of the damage depend on the scope of the compromised credentials and the attacker\u0026rsquo;s objectives. This can impact any sector, as credential compromise is a common attack vector across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and configure the Elastic Defend, Auditd Manager, or System integrations to provide the necessary data for the machine learning job (see Setup section).\u003c/li\u003e\n\u003cli\u003eInstall the associated Machine Learning job \u0026ldquo;auth_high_count_logon_events_for_a_source_ip_ea\u0026rdquo; to enable the detection (see Setup section).\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job based on your environment to reduce false positives (anomaly_threshold metadata).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by this rule, focusing on identifying the involved assets, users, and source IP addresses (see Note section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:25:14Z","date_published":"2026-04-02T13:25:14Z","id":"/briefs/2026-04-auth-spike/","summary":"A machine learning job detected a spike in successful authentication events from a source IP address, which can indicate password spraying, user enumeration, or brute force activity, potentially leading to credential access.","title":"Spike in Successful Logon Events from a Source IP","url":"https://feed.craftedsignal.io/briefs/2026-04-auth-spike/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data exfiltration","machine learning","external device"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Data Exfiltration Detection integration, part of the Elastic Security suite, includes a machine learning job designed to detect anomalies in data transfer patterns to external devices. This job, named \u0026ldquo;ded_high_bytes_written_to_external_device,\u0026rdquo; identifies unusual increases in the amount of data written to external devices, which could indicate data exfiltration attempts. The system establishes a baseline of normal activity and flags deviations from that baseline, operating on a 15-minute interval and examining data from the preceding two hours. While this rule is intended to detect malicious data exfiltration, legitimate activities like backups, software updates, archiving, and media creation can trigger false positives. The rule is enabled via the Data Exfiltration Detection integration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system via compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates sensitive data on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker stages the data for exfiltration, possibly compressing or archiving it.\u003c/li\u003e\n\u003cli\u003eThe attacker connects an external device (e.g., USB drive) to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a large data transfer to the external device.\u003c/li\u003e\n\u003cli\u003eThe Data Exfiltration Detection machine learning job detects a significant increase in bytes written to the external device, triggering an alert.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the external device containing the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the external device to access the stolen data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful data exfiltration event can result in the loss of sensitive information, potentially leading to financial losses, reputational damage, legal repercussions, and competitive disadvantage. Although the specific number of victims and targeted sectors are not specified, the potential impact is broad, affecting any organization that stores sensitive data on systems accessible to malicious actors. The severity depends on the nature and volume of the exfiltrated data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and tune the Data Exfiltration Detection integration\u0026rsquo;s configuration, specifically the \u0026ldquo;ded_high_bytes_written_to_external_device\u0026rdquo; machine learning job, to reduce false positives related to legitimate data transfer activities.\u003c/li\u003e\n\u003cli\u003eImplement and enforce data transfer policies to restrict the unauthorized use of external devices and ensure compliance with organizational security standards.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices, as recommended in the rule\u0026rsquo;s response and remediation guidance.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Spike in Bytes Sent to an External Device\u0026rdquo; rule (rule_id: \u0026ldquo;35a3b253-eea8-46f0-abd3-68bdd47e6e3d\u0026rdquo;) to determine the legitimacy of the data transfer and take appropriate action.\u003c/li\u003e\n\u003cli\u003eConsult the investigation guide provided in the rule\u0026rsquo;s notes section to aid in the triage and analysis of potential data exfiltration incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-high-bytes-written-to-external-device/","summary":"A machine learning job has detected a spike in bytes written to an external device, which is anomalous and can signal illicit data copying or transfer activities, potentially leading to data exfiltration.","title":"Unusual Spike in Bytes Written to External Device Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2026-04-high-bytes-written-to-external-device/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["kubectl","kubernetes","command_and_control","network_configuration","linux","macos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies potential malicious activity involving the \u003ccode\u003ekubectl\u003c/code\u003e command-line tool, specifically focusing on modifications to network configurations within Kubernetes environments. The rule monitors for \u003ccode\u003ekubectl\u003c/code\u003e commands executed with arguments like \u0026ldquo;port-forward\u0026rdquo;, \u0026ldquo;proxy\u0026rdquo;, or \u0026ldquo;expose,\u0026rdquo; which can be used to manipulate network settings. The activity is considered suspicious when initiated from atypical parent processes or directories, such as temporary folders or user home directories. This behavior might indicate an adversary attempting to establish unauthorized access channels or exfiltrate sensitive data. The rule is designed to work with endpoint detection and response (EDR) solutions like Elastic Defend, Crowdstrike, SentinelOne, and cloud workload protection platforms. The rule was last updated on March 30, 2026, and is intended for use in production environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with \u003ccode\u003ekubectl\u003c/code\u003e installed and configured to interact with a Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003ekubectl\u003c/code\u003e command with arguments like \u003ccode\u003eport-forward\u003c/code\u003e to create a local port that forwards traffic to a service or pod within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl proxy\u003c/code\u003e to create a proxy server that allows them to access the Kubernetes API server from their local machine.\u003c/li\u003e\n\u003cli\u003eThe attacker employs \u003ccode\u003ekubectl expose\u003c/code\u003e to create a new service that exposes a deployment, replication controller, or pod as a new Kubernetes service, potentially opening up unintended access points.\u003c/li\u003e\n\u003cli\u003eThe attacker may execute these commands from a shell like \u003ccode\u003ebash\u003c/code\u003e, or from a script located in a temporary directory like \u003ccode\u003e/tmp/\u003c/code\u003e or \u003ccode\u003e/var/tmp/\u003c/code\u003e, to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified network configurations to establish unauthorized access to sensitive services or data within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the proxied or forwarded connections to exfiltrate data from the cluster to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via \u003ccode\u003ekubectl\u003c/code\u003e network configuration modification can lead to unauthorized access to sensitive data and services within a Kubernetes cluster. This can result in data breaches, service disruptions, and lateral movement within the cluster. The low severity score suggests that while the risk exists, the impact might be limited if proper Kubernetes security best practices are followed. The rule aims to detect these actions early, preventing potential damage to the cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Elastic Defend integration or equivalent EDR solutions to monitor process execution and network connections (\u003ccode\u003eData Source: Elastic Defend\u003c/code\u003e, \u003ccode\u003eData Source: Crowdstrike\u003c/code\u003e, \u003ccode\u003eData Source: SentinelOne\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious \u003ccode\u003ekubectl\u003c/code\u003e commands with network-related arguments (\u003ccode\u003erules\u003c/code\u003e section). Tune the rule based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process and the command-line arguments of the \u003ccode\u003ekubectl\u003c/code\u003e command (\u003ccode\u003erules\u003c/code\u003e section, \u003ccode\u003eResources: Investigation Guide\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for \u003ccode\u003ekubectl\u003c/code\u003e activities and network configuration changes within the Kubernetes cluster to proactively detect and respond to similar threats in the future (\u003ccode\u003eResources: Investigation Guide\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:16:09Z","date_published":"2026-04-01T14:16:09Z","id":"/briefs/2026-05-kubectl-network-modification/","summary":"This rule detects potential kubectl network configuration modification activity by monitoring for process events where the kubectl command is executed with arguments that suggest an attempt to modify network configurations in Kubernetes, potentially leading to unauthorized access or data exfiltration.","title":"Kubectl Network Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-kubectl-network-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["incident-response","security-services","crowdstrike"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has extended its Falcon Flex model to its services offering, allowing organizations to consume cybersecurity services with greater flexibility. This model enables organizations to draw down from a standalone services entitlement, applying it across CrowdStrike\u0026rsquo;s services portfolio based on their specific priorities and operational needs. The Falcon Flex for Services covers incident response, proactive security services, advisory, platform services, and training. Additionally, CrowdStrike is introducing the Zero Dollar Flex Fund, providing qualifying new services customers with access to 200 hours of CrowdStrike Services at no initiation cost, including 160 hours of incident response and 40 hours of proactive services. This initiative aims to lower the barrier for organizations to engage with CrowdStrike\u0026rsquo;s expertise, especially those seeking expert support before committing to a broader platform. The key benefit is a more adaptable way to consume CrowdStrike expertise over time, without requiring a new procurement cycle for every shift in priorities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis brief describes a service offering that enables rapid incident response, rather than a specific attack chain. Therefore, the typical attack chain steps do not apply. However, the service is designed to improve resilience against attacks, which can be described as follows:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the target environment through various means such as phishing, vulnerability exploitation, or stolen credentials (not directly mentioned in the source).\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker attempts to move laterally within the network, escalating privileges to gain control over critical systems (not directly mentioned in the source).\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker identifies and exfiltrates sensitive data from the compromised systems (not directly mentioned in the source).\u003c/li\u003e\n\u003cli\u003eImpact: The attacker deploys ransomware or causes other damage to disrupt business operations (not directly mentioned in the source).\u003c/li\u003e\n\u003cli\u003eDetection: The organization detects the intrusion, potentially through existing security tools or alerts (not directly mentioned in the source).\u003c/li\u003e\n\u003cli\u003eActivation of CrowdStrike Services: The organization leverages CrowdStrike Flex for Services to engage incident response experts.\u003c/li\u003e\n\u003cli\u003eIncident Response: CrowdStrike experts rapidly assess the scope of the breach, contain the attacker\u0026rsquo;s activities, and begin remediation efforts.\u003c/li\u003e\n\u003cli\u003eRemediation and Recovery: CrowdStrike assists in recovering compromised systems, patching vulnerabilities, and implementing security enhancements to prevent future incidents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful utilization of CrowdStrike Flex for Services can significantly reduce the impact of a cyberattack by enabling rapid incident response and minimizing downtime. Organizations can pre-arrange incident response coverage, providing access to elite expertise and a more adaptable approach to consuming cybersecurity services over time. The Zero Dollar Flex Fund provides a direct path to CrowdStrike expertise for first-time services customers, offering a standalone 12-month agreement with flexibility in applying proactive services to readiness and consulting priorities. This results in improved preparedness, faster containment of threats, and more effective recovery from incidents, minimizing potential financial losses, reputational damage, and operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEvaluate the CrowdStrike Falcon Flex for Services model to determine its suitability for your organization\u0026rsquo;s incident response and cybersecurity service needs (Reference: CrowdStrike Flex for Services).\u003c/li\u003e\n\u003cli\u003eFor qualifying new services customers, explore the Zero Dollar Flex Fund to gain initial access to CrowdStrike Services for incident response and proactive security measures (Reference: Zero Dollar Flex Fund).\u003c/li\u003e\n\u003cli\u003eIntegrate CrowdStrike\u0026rsquo;s incident response capabilities with existing security tools and processes to streamline incident handling and improve overall security posture (Reference: CrowdStrike Services).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:13:20Z","date_published":"2026-03-28T08:13:20Z","id":"/briefs/2026-03-falcon-flex-services/","summary":"CrowdStrike is expanding its Falcon Flex model to include its services, offering flexible consumption of expert-led cybersecurity services including incident response and proactive security measures.","title":"CrowdStrike Falcon Flex for Services Expansion","url":"https://feed.craftedsignal.io/briefs/2026-03-falcon-flex-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["soc","blueteam","threat-hunting"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA security practitioner has released a free, offline SOC toolkit intended for Tier 1 analysts and those new to blue team operations. This toolkit, contained within a single HTML file, provides resources for incident response, alert triage, threat hunting, and analyst onboarding. Released in March 2026, the toolkit includes interactive IR checklists for common incident types (Phishing, Malware, Brute Force, Data Exfil, Suspicious PowerShell), alert triage playbooks with decision trees, threat hunting guides mapped to MITRE ATT\u0026amp;CK, and a structured curriculum for new Tier 1 hires. The threat hunting guides are noteworthy, as they include Splunk and Elastic queries for specific attack techniques like Kerberoasting, Pass-the-Hash, LOLBAS abuse, scheduled task persistence, and C2 communication on non-standard ports. Defenders can leverage the shared hunting queries to enhance their detection capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis toolkit is designed to aid in the \u003cem\u003edetection\u003c/em\u003e of the following attack chains:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e (Phishing, Malware) An attacker gains initial access through methods such as phishing emails or malware-infected attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e (Kerberoasting, Pass-the-Hash) After gaining initial access, the attacker attempts to harvest credentials using techniques like Kerberoasting to target service accounts or Pass-the-Hash to reuse existing credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e (Pass-the-Hash) Using compromised credentials, the attacker moves laterally within the network, accessing additional systems and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e (LOLBAS) The attacker utilizes Living-Off-The-Land Binaries and Scripts (LOLBAS) to execute malicious commands and evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e (Scheduled Task Persistence) The attacker establishes persistence by creating scheduled tasks that execute malicious code at regular intervals.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e (C2 on non-standard ports) The attacker establishes a command and control channel, communicating with compromised systems over non-standard ports to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e (Data Exfil) The attacker exfiltrates sensitive data from the compromised systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e (Data Exfil) The attacker achieves their final objective of data exfiltration, resulting in data loss or exposure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe toolkit helps defenders to mitigate the impact of attacks by providing resources for incident response, alert triage, and threat hunting. Successful implementation of the toolkit\u0026rsquo;s recommendations can lead to faster detection and containment of security incidents, reducing the potential for data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview the threat hunting guides within the toolkit and adapt the provided Splunk and Elastic queries for Kerberoasting, Pass-the-Hash, LOLBAS, scheduled task persistence, and C2 on non-standard ports to your environment.\u003c/li\u003e\n\u003cli\u003eUtilize the provided IR Checklists (Phishing, Malware, Brute Force, Data Exfil, Suspicious PowerShell) to standardize and improve incident response procedures.\u003c/li\u003e\n\u003cli\u003eCustomize and integrate the Alert Triage Playbooks into your existing security operations workflows to assist with the analysis of alerts related to impossible travel, lateral movement, and DNS beaconing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-18T12:00:00Z","date_published":"2026-03-18T12:00:00Z","id":"/briefs/2026-03-soc-analyst-hub/","summary":"A free, offline SOC toolkit aimed at Tier 1 analysts includes IR checklists, triage playbooks, and threat hunting guides mapped to MITRE ATT\u0026CK, with Splunk and Elastic queries for threats such as Kerberoasting, Pass-the-Hash, LOLBAS, scheduled task persistence, and C2 on non-standard ports.","title":"SOC Analyst Toolkit with Threat Hunting Queries","url":"https://feed.craftedsignal.io/briefs/2026-03-soc-analyst-hub/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["rust","reverse-engineering","malware-analysis"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 15, 2026, JPCERT/CC published a study examining the challenges and techniques involved in reverse engineering binaries compiled from the Rust programming language. This research aims to aid security analysts and reverse engineers in understanding the structure and characteristics of Rust-based malware. Rust\u0026rsquo;s increasing popularity among malware authors necessitates specialized knowledge to effectively analyze and detect these threats. The study details specific features of Rust binaries that differ from those compiled from other languages like C or C++, focusing on aspects such as metadata handling, string encoding, and unique function calling conventions. The research provides practical guidance for overcoming common obstacles encountered during reverse engineering of Rust binaries.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis threat brief focuses on the analysis of Rust binaries, not a specific attack chain. However, understanding the structure of these binaries is crucial for analyzing attacks leveraging them. The following steps outline a general reverse engineering process applicable to any binary, with considerations specific to Rust:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Reconnaissance:\u003c/strong\u003e Obtain the Rust binary and gather basic information such as file type, size, and compilation timestamp using tools like \u003ccode\u003efile\u003c/code\u003e and \u003ccode\u003estrings\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMetadata Analysis:\u003c/strong\u003e Examine the binary\u0026rsquo;s metadata section to identify Rust version, crate dependencies, and potentially debug symbols. This can be done using tools like \u003ccode\u003eobjdump\u003c/code\u003e or specialized Rust metadata parsers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eString Extraction:\u003c/strong\u003e Extract embedded strings from the binary. Note that Rust often uses UTF-8 encoding for strings, so ensure your tools support this encoding.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFunction Identification:\u003c/strong\u003e Identify key functions such as \u003ccode\u003emain\u003c/code\u003e, and any other functions related to suspicious behavior. Tools like IDA Pro or Ghidra can be used for disassembly and function analysis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eControl Flow Analysis:\u003c/strong\u003e Analyze the control flow of the program, paying attention to function calls and branching logic. Rust\u0026rsquo;s ownership and borrowing system can make control flow more complex than in C/C++.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDependency Analysis:\u003c/strong\u003e Identify and analyze any external crates (libraries) used by the binary. These crates may contain known vulnerabilities or malicious code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBehavioral Analysis:\u003c/strong\u003e Execute the binary in a controlled environment (sandbox) to observe its behavior, including file system access, network connections, and registry modifications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetection Rule Creation:\u003c/strong\u003e Based on the reverse engineering and behavioral analysis, create detection rules for identifying similar malicious Rust binaries.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe increasing use of Rust in malware development poses a challenge for security analysts. Successful reverse engineering and understanding of Rust binaries are crucial for detecting and mitigating threats. Failure to adapt to this trend could lead to a decreased ability to identify and respond to novel malware strains.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFamiliarize detection engineers with the structure and characteristics of Rust binaries as described in the JPCERT/CC study to improve reverse engineering capabilities.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided below to detect suspicious behaviors commonly associated with potentially malicious binaries, adjusting thresholds and whitelists as needed for your environment.\u003c/li\u003e\n\u003cli\u003eUtilize tools capable of parsing Rust metadata to extract crate dependencies and other useful information from Rust binaries during analysis, as described in the \u0026ldquo;Metadata Analysis\u0026rdquo; step above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T12:00:00Z","date_published":"2026-03-16T12:00:00Z","id":"/briefs/2026-03-rust-binaries/","summary":"JPCERT/CC published a study on the reverse engineering of binaries created with the Rust programming language, providing insights for malware analysis and detection engineering.","title":"JPCERT/CC Study on Reverse Engineering Rust Binaries","url":"https://feed.craftedsignal.io/briefs/2026-03-rust-binaries/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["aws","privilege-escalation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies when an IAM user assumes a role in AWS Security Token Service (STS) within an AWS environment. The AWS Security Token Service (STS) allows users to request temporary, limited-privilege credentials for accessing AWS resources. While legitimate role assumption is common for authorized access, adversaries can abuse this mechanism to escalate privileges or move laterally within a compromised AWS account. This behavior is detected by monitoring AWS CloudTrail logs for \u003ccode\u003eAssumeRole\u003c/code\u003e events from IAM users. The rule focuses on identifying potentially malicious role assumptions by correlating the user identity, assumed role, and source information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account as an IAM user, potentially through compromised credentials or an exposed access key.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available IAM roles within the AWS environment to identify roles with elevated privileges or access to sensitive resources.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003eAssumeRole\u003c/code\u003e API in AWS STS, requesting temporary credentials for the target role, using a \u003ccode\u003eroleSessionName\u003c/code\u003e for context.\u003c/li\u003e\n\u003cli\u003eThe STS service validates the request and, if authorized, issues temporary credentials consisting of an \u003ccode\u003eaccessKeyId\u003c/code\u003e, \u003ccode\u003esecretAccessKey\u003c/code\u003e, and \u003ccode\u003esessionToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker configures their AWS CLI or SDK with the temporary credentials obtained from the STS service.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the temporary credentials to access AWS resources and perform actions permitted by the assumed role, such as modifying security groups, accessing S3 buckets, or launching EC2 instances.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to further escalate privileges by assuming additional roles or creating new IAM users with administrative privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful role assumption can grant an attacker access to sensitive data, allow them to disrupt critical services, or provide a foothold for further attacks within the AWS environment. While this rule has a low severity, a high volume of alerts should be reviewed as it could indicate ongoing lateral movement and privilege escalation. The impact of a successful attack can range from data breaches and service disruptions to complete compromise of the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM and tune for your environment to detect suspicious role assumptions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule by reviewing the associated CloudTrail logs, specifically the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring for high-risk roles with elevated permissions, and create exceptions for trusted patterns.\u003c/li\u003e\n\u003cli\u003eRegularly review IAM policies and roles to minimize the risk of privilege escalation.\u003c/li\u003e\n\u003cli\u003eRefer to the AWS STS documentation for more details on managing and securing AWS STS in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-04T18:01:49Z","date_published":"2026-03-04T18:01:49Z","id":"/briefs/2026-03-aws-sts-role-assumption/","summary":"Detection of a user assuming a role in AWS Security Token Service (STS) to obtain temporary credentials, which can indicate privilege escalation or lateral movement.","title":"AWS STS Role Assumption by User","url":"https://feed.craftedsignal.io/briefs/2026-03-aws-sts-role-assumption/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access","okta","user-lifecycle"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert detects potential privileged access activity within an Okta environment. The detection is triggered by a machine learning job that identifies anomalous spikes in user lifecycle management change events. Threat actors may target user accounts to escalate their privileges or to establish persistence within the environment. This is achieved by manipulating user accounts, such as modifying roles, permissions, or other attributes. The prebuilt ML job \u0026ldquo;pad_okta_spike_in_user_lifecycle_management_changes_ea\u0026rdquo; is used to detect these anomalies. The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. The rule looks for activity within a 3-hour window, checking every 15 minutes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Okta account, possibly through compromised credentials or other means. (T1078)\u003c/li\u003e\n\u003cli\u003eThe attacker begins enumerating user accounts and their associated roles and permissions within the Okta environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account with elevated privileges or a role that would grant them desired access.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the target user account\u0026rsquo;s attributes, such as adding the attacker\u0026rsquo;s account to a privileged group or changing the user\u0026rsquo;s role. (T1098)\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly acquired privileges to access sensitive resources or perform unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker may create new user accounts with elevated privileges to maintain persistent access to the environment. (T1098)\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting logs or modifying audit trails to conceal their activity.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in privilege escalation, allowing unauthorized access to sensitive data and systems. Depending on the level of access gained, attackers may be able to compromise critical infrastructure, steal confidential information, or disrupt business operations. The impact can range from minor data breaches to significant financial losses and reputational damage. Early detection of anomalous user lifecycle changes is crucial to mitigating these risks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Privileged Access Detection integration is installed and properly configured, including the preconfigured anomaly detection job \u0026ldquo;pad_okta_spike_in_user_lifecycle_management_changes_ea\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by following the investigation steps outlined in the rule\u0026rsquo;s note section within the Kibana UI.\u003c/li\u003e\n\u003cli\u003eReview and update access management policies and procedures to prevent similar incidents in the future, ensuring that changes to user accounts are logged and regularly reviewed as described in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor Okta logs for any unusual or unauthorized activity, focusing on user account changes, as described in the setup documentation.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring on the affected accounts and related systems to detect any further suspicious activity or attempts to regain unauthorized access as mentioned in the response and remediation guidelines.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-okta-user-lifecycle-spike/","summary":"A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity where threat actors may manipulate user accounts to gain higher access rights or persist within the environment.","title":"Unusual Spike in Okta User Lifecycle Management Change Events","url":"https://feed.craftedsignal.io/briefs/2024-11-okta-user-lifecycle-spike/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS CloudTrail","AWS EC2"],"_cs_severities":["low"],"_cs_tags":["attack.defense-impairment","attack.t1686.001","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe creation of new Network Access Control List (ACL) entries in Amazon Web Services (AWS) environments can be a sign of malicious activity. While legitimate use cases exist, adversaries can leverage these ACL changes to impair existing defenses, create new pathways for lateral movement, or establish persistence mechanisms. This activity is logged by CloudTrail and can be monitored to identify unauthorized or suspicious modifications to network security configurations. Attackers could create overly permissive rules that allow unauthorized access to critical resources or restrictive rules that disrupt legitimate traffic. Monitoring the creation of Network ACL entries is important for maintaining the integrity and security of AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the existing Network ACLs within the target Virtual Private Cloud (VPC).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS Management Console, CLI, or API to create a new Network ACL entry. The \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e event is logged in CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe new ACL entry may be configured to allow specific inbound or outbound traffic that was previously blocked, effectively opening a new attack vector.\u003c/li\u003e\n\u003cli\u003eAlternatively, the new ACL entry may be configured to deny legitimate traffic, causing a denial-of-service condition for specific services or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created ACL entry to move laterally within the AWS environment, accessing previously inaccessible resources.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration or resource compromise, using the newly opened network pathways.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe creation of unauthorized Network ACL entries can have significant consequences. It can lead to the opening of new attack vectors, allowing unauthorized access to sensitive data and critical resources. In some scenarios, it can result in a denial-of-service condition, disrupting legitimate business operations. Depending on the scope of the compromised resources and data, the impact can range from minor inconvenience to significant financial loss and reputational damage. Early detection of this activity is crucial to mitigating potential risks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;New Network ACL Entry Added\u0026rdquo; to your SIEM to detect suspicious ACL modifications (logsource: aws, service: cloudtrail).\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e events that deviate from established baseline configurations or involve unexpected source/destination IP ranges.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Network ACL configurations regularly to identify and remediate any overly permissive or restrictive rules.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise and unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for other related events, such as \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e, which may indicate further tampering with network security configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T14:27:00Z","date_published":"2024-10-26T14:27:00Z","id":"/briefs/2024-10-aws-network-acl-created/","summary":"Detection of new Network ACL entries in AWS CloudTrail logs can indicate potential defense impairment or the opening of new attack vectors within an AWS account by an adversary.","title":"New AWS Network ACL Entry Creation Detected","url":"https://feed.craftedsignal.io/briefs/2024-10-aws-network-acl-created/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["credential-access","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eActive Directory Integrated DNS (ADIDNS) is a core component of AD DS, storing DNS zones as AD objects. The default permission settings allow any authenticated user to create DNS-named records. This creates an opportunity for attackers to perform Dynamic Spoofing attacks by monitoring LLMNR/NBT-NS requests and creating DNS-named records to target systems or specific services like WPAD. This attack can enable credential access by redirecting traffic through attacker-controlled systems, leading to the capture of sensitive information. This activity is detectable by monitoring Windows event code 5137 related to DNS record creation and filtering out legitimate system accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a domain-joined system, possibly through compromised credentials or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker passively monitors LLMNR/NBT-NS broadcast traffic to identify systems being requested on the network.\u003c/li\u003e\n\u003cli\u003eUpon observing a request for a target system (e.g., WPAD), the attacker creates a DNS-named record in ADIDNS that resolves the target system\u0026rsquo;s name to an attacker-controlled IP address. This leverages the default permissions in ADIDNS that allow authenticated users to create DNS records.\u003c/li\u003e\n\u003cli\u003eWhen a legitimate user attempts to access the target system, the DNS query resolves to the attacker\u0026rsquo;s IP address.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s traffic is redirected to the attacker\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the user\u0026rsquo;s credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may relay captured credentials to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves credential access and lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept network traffic, steal credentials, and potentially gain unauthorized access to sensitive systems and data within the Active Directory domain. While the severity is low, it can be a stepping stone to further, more damaging attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; to generate the necessary Windows Security Event Logs (event code 5137) for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCreation of a DNS-Named Record\u003c/code\u003e to detect suspicious DNS record creation events.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls on DNS record creation within Active Directory to limit permissions to only necessary and trusted accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-22T12:00:00Z","date_published":"2024-05-22T12:00:00Z","id":"/briefs/2024-05-adidns-record-creation/","summary":"Detection of DNS record creation by non-system accounts within Active Directory Integrated DNS (ADIDNS), which attackers can abuse to perform Dynamic Spoofing attacks, potentially targeting services like WPAD for credential access.","title":"Suspicious DNS-Named Record Creation in Active Directory Integrated DNS","url":"https://feed.craftedsignal.io/briefs/2024-05-adidns-record-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data-exfiltration","machine-learning","network-traffic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert is triggered by a machine learning job, \u003ccode\u003eded_high_sent_bytes_destination_region_name_ea\u003c/code\u003e, that detects data exfiltration to unusual geographical regions based on network traffic patterns. The Data Exfiltration Detection integration, including Elastic Defend and Network Packet Capture, is required for this detection to function. This integration analyzes network and file events to identify abnormalities in data transfer volumes to different geographical locations, specifically by region name. Anomalous traffic patterns, particularly those involving high volumes of data being sent to regions outside the organization\u0026rsquo;s typical network activity, could indicate malicious actors attempting to exfiltrate sensitive data via command and control channels. This detection provides defenders with an early warning of potential data breaches. Version requirements: Elastic Stack version 9.4.0 or later is required to leverage the Entity Analytics (EA) fields.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a system within the network through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes a command and control (C2) channel to communicate with the compromised system.\u003c/li\u003e\n\u003cli\u003eData Collection: The attacker identifies and collects sensitive data from various sources within the network.\u003c/li\u003e\n\u003cli\u003eStaging: The collected data is staged in a temporary location, compressed, and potentially encrypted for exfiltration.\u003c/li\u003e\n\u003cli\u003eExfiltration: The attacker uses the C2 channel to transfer the staged data to an external location in an unusual geographic region.\u003c/li\u003e\n\u003cli\u003eEvasion: The attacker may attempt to obfuscate the data transfer by using techniques such as tunneling or encryption to avoid detection.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker may attempt to remove traces of their activity, such as deleting logs or files, to hinder investigation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful data exfiltration attack can result in the loss of sensitive information, including intellectual property, customer data, and financial records. The risk score for this rule is 21, which indicates a moderate level of risk. Detection of this activity allows security teams to quickly respond and mitigate the potential damage. Early detection helps prevent large-scale data breaches and minimizes the impact on the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Data Exfiltration Detection integration assets are installed and properly configured, including Elastic Defend and Network Packet Capture (see Setup instructions in content).\u003c/li\u003e\n\u003cli\u003eReview the geo-location details flagged by the alert to determine if the region is indeed unusual for the organization\u0026rsquo;s typical network traffic patterns (see Triage and Analysis in content).\u003c/li\u003e\n\u003cli\u003eAnalyze the network traffic logs associated with the alert to identify the volume and type of data being transferred to the unusual region (see Triage and Analysis in content).\u003c/li\u003e\n\u003cli\u003eImplement geo-blocking measures to restrict data transfers to the identified unusual region, ensuring that only approved regions can communicate with the network (see Response and Remediation in content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect processes initiating network connections to unusual regions based on the \u003ccode\u003eDestinationGeoRegion\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T10:00:00Z","date_published":"2024-05-02T10:00:00Z","id":"/briefs/2024-05-data-exfiltration-unusual-region/","summary":"A machine learning job has detected potential data exfiltration activity to an unusual geographical region, specifically by region name, indicating exfiltration over command and control channels.","title":"Potential Data Exfiltration to Unusual Geographic Region via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-05-data-exfiltration-unusual-region/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","data-exfiltration","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection leverages machine learning to identify unusual remote file sizes, a tactic often used during lateral movement. After gaining initial access, adversaries frequently aim to locate and exfiltrate valuable data. To avoid raising alarms with numerous small transfers, they may consolidate data into a single large file. This rule, built upon the Elastic Lateral Movement Detection integration, specifically uses the \u003ccode\u003elmd_high_file_size_remote_file_transfer_ea\u003c/code\u003e machine learning job. The integration requires the \u003ccode\u003ehost.ip\u003c/code\u003e field to be populated and Elastic Defend to be properly configured. This detection is critical for organizations seeking to identify and prevent data exfiltration attempts early in the attack lifecycle. The integration assets must be installed and file and Windows RDP process events collected by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains access to a host within the network, potentially through compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker performs reconnaissance to identify valuable data stores, network shares, and potential exfiltration targets.\u003c/li\u003e\n\u003cli\u003eCollection: The attacker gathers sensitive data from various sources within the compromised network. This data could include documents, databases, or other confidential information.\u003c/li\u003e\n\u003cli\u003eData Consolidation: To avoid detection, the attacker bundles the collected data into a single, large file. This could involve archiving, compression, or other methods of aggregation.\u003c/li\u003e\n\u003cli\u003eLateral Tool Transfer: The attacker uses remote services or tools to transfer the large file to a remote host within the network (T1570).\u003c/li\u003e\n\u003cli\u003eExfiltration Preparation: The attacker stages the large file on the remote host, preparing it for exfiltration outside the network.\u003c/li\u003e\n\u003cli\u003eExfiltration: The attacker initiates the transfer of the large file from the compromised network to an external destination, potentially using protocols like RDP.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker attempts to remove traces of the activity, such as deleting temporary files or logs, to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, potentially resulting in financial loss, reputational damage, and legal liabilities. The detection of unusual remote file sizes can help organizations identify and prevent data exfiltration attempts before they cause significant harm. Depending on the sensitivity of the exfiltrated data, the impact could range from minor inconvenience to a major security breach affecting thousands of individuals or customers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated as required by the rule. For Elastic Defend versions 8.18 and above, verify that host IP collection is enabled following the provided \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets, including the \u003ccode\u003elmd_high_file_size_remote_file_transfer_ea\u003c/code\u003e machine learning job. Follow the setup instructions detailed in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003edocumentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the anomaly threshold (\u003ccode\u003eanomaly_threshold = 70\u003c/code\u003e) of the machine learning job based on your environment\u0026rsquo;s baseline to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement, as suggested in the \u0026ldquo;Response and remediation\u0026rdquo; section of the rule documentation.\u003c/li\u003e\n\u003cli\u003eEnhance monitoring and logging for unusual file transfer activities and remote access attempts as stated in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-30T10:00:00Z","date_published":"2024-04-30T10:00:00Z","id":"/briefs/2024-04-30-unusual-remote-file-size/","summary":"A machine learning job has detected an unusually high file size shared by a remote host, indicating potential lateral movement as attackers bundle data into a single large file transfer to evade detection when exfiltrating valuable information.","title":"Unusual Remote File Size Indicating Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-04-30-unusual-remote-file-size/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["low"],"_cs_tags":["defense-impairment","t1685","github"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eThis alert detects when a GitHub user bypasses the push protection mechanism designed to prevent secrets from being committed to a repository. GitHub\u0026rsquo;s push protection, part of its secret scanning feature, is intended to block commits containing sensitive information like API keys or credentials.  A bypass indicates a deliberate attempt to circumvent this security measure. Successful bypass can lead to exposure of secrets, increasing the risk of unauthorized access and data breaches. The activity is logged within GitHub\u0026rsquo;s audit logs, provided that the audit log streaming feature is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eDeveloper attempts to commit code containing a secret to a GitHub repository.\u003c/li\u003e\n\u003cli\u003eGitHub\u0026rsquo;s push protection mechanism detects the secret and blocks the push.\u003c/li\u003e\n\u003cli\u003eThe developer intentionally bypasses the push protection, potentially using allowed administrative activities to circumvent the block.\u003c/li\u003e\n\u003cli\u003eThe code, including the secret, is successfully pushed to the repository.\u003c/li\u003e\n\u003cli\u003eThe secret becomes exposed within the repository\u0026rsquo;s history.\u003c/li\u003e\n\u003cli\u003eUnauthorized actors may discover the exposed secret by scanning the repository.\u003c/li\u003e\n\u003cli\u003eUnauthorized actors may use the exposed secret to gain unauthorized access to systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful bypass of GitHub push protection can lead to secrets being exposed in a repository. This exposure can lead to unauthorized access to sensitive systems or data. The severity of the impact depends on the scope of access granted by the exposed secret, and the visibility of the repository.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable audit log streaming in GitHub to ensure relevant events are captured.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Push Protection Bypass Detected\u0026rdquo; to your SIEM and tune for your environment using GitHub audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected bypass events to determine the context and impact of the bypassed secret.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-github-push-protection-bypass/","summary":"Detection of a GitHub user bypassing push protection, potentially leading to the exposure of secrets.","title":"GitHub Push Protection Bypass Detection","url":"https://feed.craftedsignal.io/briefs/2024-04-github-push-protection-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["low"],"_cs_tags":["attack.defense-impairment","attack.t1685"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eThe addition of a secret scanning allowlist rule to a Bitbucket project can be abused by malicious actors to bypass security controls. While not inherently malicious, this action can be exploited to weaken an organization\u0026rsquo;s security posture. Secret scanning tools are designed to prevent the accidental or intentional commit of sensitive information (API keys, passwords, etc.) into version control systems. By adding an allowlist rule, specific patterns or files can be excluded from these scans. This could be leveraged by an attacker who has gained access to a Bitbucket account or project to intentionally introduce secrets while avoiding detection. The activity is logged by Bitbucket\u0026rsquo;s audit logs, providing an opportunity for detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a Bitbucket account with sufficient privileges to modify project settings.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the project settings within Bitbucket.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the secret scanning configuration for the project.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a new allowlist rule, specifying a pattern or file to be excluded from secret scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker commits code containing secrets that match the allowlist rule, effectively bypassing the secret scanning tool.\u003c/li\u003e\n\u003cli\u003eThe changes are pushed to the Bitbucket repository.\u003c/li\u003e\n\u003cli\u003eThe secrets remain undetected due to the allowlist rule.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed secrets for further malicious activities, such as gaining access to other systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the exposure of sensitive information such as API keys, passwords, or other credentials. This can result in unauthorized access to internal systems, data breaches, and reputational damage. The number of affected projects depends on the scope of the attacker\u0026rsquo;s access and the configuration of the allowlist rule. The addition of the allowlist rule itself does not directly cause damage but creates a window of opportunity for the introduction and persistence of secrets within the codebase.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the addition of secret scanning allowlist rules (logsource: bitbucket, service: audit).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of allowlist rule additions to verify their legitimacy and business justification.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access controls for Bitbucket projects to minimize the risk of unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnable \u0026ldquo;Basic\u0026rdquo; log level in Bitbucket to ensure that the audit events required for detection are captured, as indicated in the rule definition.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-bitbucket-secret-scanning-allowlist/","summary":"An adversary may impair defenses by adding a secret scanning allowlist rule for Bitbucket projects, potentially allowing secrets to be committed and exposed.","title":"Bitbucket Project Secret Scanning Allowlist Added","url":"https://feed.craftedsignal.io/briefs/2024-04-bitbucket-secret-scanning-allowlist/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","rdp","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the potential for lateral movement within a network facilitated by an unusual spike in Remote Desktop Protocol (RDP) connections originating from a single source IP address. This activity is detected using an Elastic machine learning job designed to identify anomalies in network connection patterns. The rule \u0026ldquo;Spike in Number of Connections Made from a Source IP\u0026rdquo; leverages this ML job to flag instances where a single host initiates RDP connections to a significantly higher than normal number of distinct destination IPs, potentially indicating that an attacker is attempting to pivot and gain access to additional systems after compromising an initial foothold. This detection mechanism is available in Elastic Security 9.4.0 and later, with the Lateral Movement Detection integration assets installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a host within the network through methods such as phishing, exploiting a vulnerability, or credential theft.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Foothold:\u003c/strong\u003e The attacker establishes a foothold on the compromised system, potentially installing tools for reconnaissance and lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e The attacker performs internal reconnaissance to identify potential target systems accessible via RDP.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRDP Connection Attempts:\u003c/strong\u003e The attacker initiates RDP connections to a large number of internal IP addresses from the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The attacker attempts to harvest credentials from the targeted systems to gain further access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker successfully connects to additional systems using RDP, leveraging harvested or stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e On newly accessed systems, the attacker attempts to escalate privileges to gain administrative control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Completion:\u003c/strong\u003e With broader access and elevated privileges, the attacker achieves their objective, which may include data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, this lateral movement can result in widespread compromise across the targeted network. A single compromised host can serve as a launching point to access sensitive data, critical systems, and ultimately, inflict significant damage. The \u0026ldquo;Spike in Number of Connections Made from a Source IP\u0026rdquo; rule aims to detect these lateral movement attempts early, minimizing potential damage. The impact of a successful attack could range from data breaches and financial losses to operational disruption and reputational damage, affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable host IP collection if using Elastic Defend (versions 8.18 and above), by following the configuration steps outlined in the Elastic documentation to ensure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the \u003ca href=\"https://docs.elastic.co/en/integrations/lmd\"\u003eofficial Elastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the false positive analysis steps within the detection rule\u0026rsquo;s documentation. Whitelist known administrative IPs or legitimate RDP usage patterns to minimize noise.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface as recommended in the rule\u0026rsquo;s response and remediation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-spike-in-rdp-connections/","summary":"A machine learning job detected a high count of destination IPs establishing RDP connections with a single source IP, indicating potential lateral movement attempts after initial compromise.","title":"Spike in Number of RDP Connections from a Single Source IP","url":"https://feed.craftedsignal.io/briefs/2024-01-spike-in-rdp-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","windows","netsh","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e utility in Windows supports the addition of Helper DLLs to extend its functionality. An attacker can abuse this mechanism to establish persistence by adding a malicious DLL. When \u003ccode\u003enetsh.exe\u003c/code\u003e is executed, the malicious DLL is loaded and executed, allowing the attacker to run arbitrary code with the privileges of the user or process that initiated \u003ccode\u003enetsh.exe\u003c/code\u003e. This can be done by administrators or scheduled tasks, making it a stealthy and effective persistence technique. The registry key targeted by this technique is \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious DLL to be used as a Netsh Helper DLL.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the Windows Registry to add the malicious DLL as a Netsh Helper DLL under \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system administrator or a scheduled task executes \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e loads and executes the malicious DLL, granting the attacker code execution.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing a reverse shell or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the malicious Netsh Helper DLL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. While the risk score is low, the persistence mechanism can allow attackers to maintain a foothold for extended periods, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications under the \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e path for suspicious DLL additions using the \u0026ldquo;Netsh Helper DLL Registry Modification\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the DLL file properties, timestamps, and related processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-netsh-helper-dll/","summary":"Attackers may abuse the Netsh Helper DLL functionality by adding malicious DLLs to execute payloads every time the netsh utility is executed via administrators or scheduled tasks, achieving persistence.","title":"Netsh Helper DLL Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-helper-dll/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Actions"],"_cs_severities":["low"],"_cs_tags":["github","persistence","privilege-escalation","initial-access"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis detection identifies the creation of new secrets within GitHub Actions. Threat actors may create or modify secrets to gain unauthorized access, establish persistence, or escalate privileges within the GitHub environment. The activity is captured via GitHub\u0026rsquo;s audit logs. The scope of this detection encompasses the creation of secrets at the organization, environment, codespaces, or repository level. Successful detection of this activity allows security teams to investigate potentially malicious modifications to GitHub Actions secrets, which could lead to supply chain compromise or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a GitHub account, potentially through compromised credentials or phishing (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub organization or repository.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the settings for the organization, environment, codespaces, or repository.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new secret within the GitHub Actions settings, using the GitHub API or web interface.\u003c/li\u003e\n\u003cli\u003eThe secret is stored within GitHub\u0026rsquo;s infrastructure, accessible to GitHub Actions workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates a GitHub Actions workflow that utilizes the newly created secret.\u003c/li\u003e\n\u003cli\u003eThe workflow executes, using the secret to perform privileged actions such as accessing sensitive data or deploying malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or elevates their privileges within the GitHub environment, potentially compromising the entire software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, code injection, and supply chain compromise. The impact ranges from low, in cases where the secret is used for benign purposes, to critical if the secret is used to deploy malicious code into production environments. While the number of affected organizations is unknown, the potential for widespread impact across the software supply chain makes this a critical area for monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub audit log streaming to capture the events necessary for this detection (see \u003ccode\u003elogsource\u003c/code\u003e definition).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGithub New Secret Created\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u0026ldquo;actor\u0026rdquo; involved in creating the secret.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-github-secret-creation/","summary":"This analytic detects the creation of new GitHub Actions secrets at the organization, environment, codespaces, or repository level, potentially indicating malicious persistence or privilege escalation.","title":"Detection of New GitHub Actions Secrets Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-github-secret-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","command-and-control","windows","msxsl"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eMsXsl.exe is a Windows utility designed to transform XML data using XSLT stylesheets. Adversaries are known to abuse this utility to execute malicious scripts, bypassing application control and other security measures. This behavior is often used as a defense evasion technique to download or execute malicious payloads. This activity has been observed since at least March 2020. The abuse of msxsl.exe allows attackers to establish command and control or exfiltrate sensitive data without being easily detected, as the tool is a signed Microsoft binary. This matters for defenders because it highlights the need to monitor legitimate system utilities for anomalous behavior, specifically network connections to external IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msxsl.exe to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eMsxsl.exe initiates a network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe script downloads a malicious payload from the external server.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a command and control channel through the network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker performs data exfiltration via the established C2 channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be used for further malicious activities, including data theft, lateral movement, and deployment of additional malware. Successful exploitation can lead to sensitive data exfiltration, disruption of services, or complete system compromise. The low risk score does not represent impact, but instead reflects that the behavior is not always malicious, and may be a feature of normal software operation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon network connection logging to monitor msxsl.exe network activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Network Connection via MsXsl\u0026rdquo; to your SIEM and tune for your environment to detect suspicious network connections originating from msxsl.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the destination IP address and the parent process of msxsl.exe.\u003c/li\u003e\n\u003cli\u003eWhitelist legitimate uses of msxsl.exe in your environment based on known good processes or applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T10:00:00Z","date_published":"2024-01-30T10:00:00Z","id":"/briefs/2024-01-msxsl-network-connection/","summary":"Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.","title":"MsXsl.exe Network Connection for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-msxsl-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Elastic Endgame","Sysmon"],"_cs_severities":["low"],"_cs_tags":["privilege-escalation","unquoted-service-path","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eUnquoted service paths in Windows can be exploited to escalate privileges. When a service path lacks quotes, Windows may execute a malicious executable placed in a higher-level directory. This detection rule identifies suspicious processes starting from common unquoted paths, like \u0026ldquo;C:\\Program.exe\u0026rdquo; or executables within \u0026ldquo;C:\\Program Files (x86)\\\u0026rdquo; or \u0026ldquo;C:\\Program Files\\\u0026rdquo;, signaling potential exploitation attempts. The rule aims to detect early stages of privilege escalation threats. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, Windows Security Event Logs, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a service running with an unquoted path, such as \u0026ldquo;C:\\Program Files\\Unquoted Path Service\\Common\\Service.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious executable named \u0026ldquo;Program.exe\u0026rdquo; in \u0026ldquo;C:\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to start the service \u0026ldquo;C:\\Program Files\\Unquoted Path Service\\Common\\Service.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDue to the unquoted path, the OS incorrectly parses the path and first attempts to execute \u0026ldquo;C:\\Program.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe malicious \u0026ldquo;Program.exe\u0026rdquo; executes with the privileges of the service account.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs actions to escalate privileges, such as adding a user to the local administrators group.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of an unquoted service path vulnerability can lead to complete system compromise, as the attacker gains the privileges of the service account. This can allow the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. The impact is high, potentially leading to a loss of confidentiality, integrity, and availability of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview process executable paths to confirm if they match the patterns specified in the rule query, such as \u0026ldquo;?:\\Program.exe\u0026rdquo; or executables within \u0026ldquo;C:\\Program Files (x86)\\\u0026rdquo; or \u0026ldquo;C:\\Program Files\\\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Exploitation of an Unquoted Service Path Vulnerability\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging with Event ID 1 to activate the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eConduct a thorough review of service configurations to identify and correct any unquoted service paths as part of remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"/briefs/2024-01-29-unquoted-service-path/","summary":"This rule detects potential exploitation of unquoted service path vulnerabilities, where adversaries may escalate privileges by placing a malicious executable in a higher-level directory within the path of an unquoted service executable.","title":"Potential Exploitation of an Unquoted Service Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-unquoted-service-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe \u0026ldquo;Office Test\u0026rdquo; registry key, located under \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e, is a legitimate feature that allows specifying a DLL to be executed every time an MS Office application is started. Attackers can abuse this functionality by modifying the registry to point to a malicious DLL, achieving persistence on a compromised host. This allows for continued malicious activity even after a system restart or user logout. Elastic has published a rule to detect this behavior. The modification of this registry key, excluding deletions, is a strong indicator of potential abuse, and can be detected via endpoint detection and response (EDR) solutions as well as traditional Sysmon logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, often through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a foothold and escalates privileges to make necessary registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e registry key, adding a new entry or modifying an existing one to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious DLL is present on the system, either by dropping it directly or using existing system tools to download it.\u003c/li\u003e\n\u003cli\u003eA user launches a Microsoft Office application (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the DLL specified in the \u0026ldquo;Office Test\u0026rdquo; registry key during startup.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes its payload, which could include establishing a reverse shell, installing malware, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence, allowing them to regain access to the system each time an Office application is started.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to a compromised system. The injected DLL can be used to execute arbitrary code, potentially leading to data theft, malware installation, or further compromise of the network. The relatively low risk score suggests a common technique, but the potential for persistent access makes it a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect unauthorized modifications to the \u0026ldquo;Office Test\u0026rdquo; registry key (\u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Registry event logging to capture registry modifications and activate the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for Office applications to detect if a suspicious DLL has been loaded or executed, as described in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for similar registry modifications across the network, as described in the remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T17:30:00Z","date_published":"2024-01-27T17:30:00Z","id":"/briefs/2024-01-office-test-registry-persistence/","summary":"Attackers modify the Microsoft Office 'Office Test' Registry key to achieve persistence by specifying a malicious DLL that executes upon application startup.","title":"Microsoft Office 'Office Test' Registry Persistence Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-office-test-registry-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","group_policy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers may leverage the \u003ccode\u003egpresult.exe\u003c/code\u003e utility, a built-in Windows tool, to gather information about Group Policy Objects (GPOs) within an Active Directory environment. This reconnaissance activity allows adversaries to understand the existing security policies, identify potential misconfigurations, and discover pathways for privilege escalation or lateral movement. The rule focuses on detecting the execution of \u003ccode\u003egpresult.exe\u003c/code\u003e with specific command-line arguments (\u003ccode\u003e/z\u003c/code\u003e, \u003ccode\u003e/v\u003c/code\u003e, \u003ccode\u003e/r\u003c/code\u003e, \u003ccode\u003e/x\u003c/code\u003e) commonly associated with malicious reconnaissance. This behavior is typically observed after an initial compromise, where the attacker is attempting to map out the network and identify valuable targets. This activity matters for defenders as it provides an early indicator of post-compromise activity and can help prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003egpresult.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe attacker uses command-line arguments such as \u003ccode\u003e/z\u003c/code\u003e, \u003ccode\u003e/v\u003c/code\u003e, \u003ccode\u003e/r\u003c/code\u003e, or \u003ccode\u003e/x\u003c/code\u003e to request detailed information about Group Policy settings.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egpresult.exe\u003c/code\u003e queries the Active Directory domain to retrieve GPO information applicable to the user or computer.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003egpresult.exe\u003c/code\u003e to identify security policies, user rights assignments, and other relevant configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential weaknesses in the GPO configuration, such as overly permissive user rights or insecure password policies.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to exploit identified weaknesses and escalate privileges or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a comprehensive understanding of the target environment\u0026rsquo;s security posture, enabling attackers to identify and exploit weaknesses for privilege escalation and lateral movement. While the source does not specify a number of victims or sectors targeted, the impact of a successful attack can range from data breaches and financial losses to reputational damage and disruption of operations. The discovery of misconfigured group policies can open doors for attackers to compromise critical systems and data within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Group Policy Discovery via GPResult\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003egpresult.exe\u003c/code\u003e with suspicious parameters.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture command-line arguments used with \u003ccode\u003egpresult.exe\u003c/code\u003e and other executables.\u003c/li\u003e\n\u003cli\u003eReview and harden Group Policy configurations to minimize the risk of exploitation by attackers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Group Policy Discovery via GPResult\u0026rdquo; to determine the context and intent of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-gpresult-discovery/","summary":"Detects the execution of `gpresult.exe` with arguments `/z`, `/v`, `/r`, or `/x` on Windows systems, which attackers may use during reconnaissance to enumerate Group Policy Objects and identify opportunities for privilege escalation or lateral movement.","title":"Group Policy Discovery via Microsoft GPResult Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-gpresult-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","browser-extension","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the installation of browser extensions on Windows systems, which can be a sign of malicious activity. Threat actors may install malicious browser extensions through app store downloads disguised as legitimate extensions, social engineering tactics, or by directly compromising a system. These extensions can then be used for persistence, data theft, or other malicious purposes. The rule focuses on monitoring file creation events related to browser extension installations, specifically targeting the file paths and types associated with Firefox (.xpi) and Chromium-based browsers (.crx). It excludes known safe processes and extensions to reduce false positives. This detection is relevant for defenders because malicious browser extensions can provide a persistent foothold for attackers, allowing them to maintain access to compromised systems and user data. The rule is based on EQL and can be used with Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user\u0026rsquo;s system is compromised, potentially through social engineering or existing malware.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the system and attempts to install a malicious browser extension.\u003c/li\u003e\n\u003cli\u003eThe attacker drops the extension file (.xpi for Firefox, .crx for Chromium) into the appropriate browser extension directory (e.g., \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\\\\Profiles\\\\*\\\\Extensions\\\\\u003c/code\u003e for Firefox or \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*\\\\*\\\\User Data\\\\Webstore Downloads\\\\\u003c/code\u003e for Chromium).\u003c/li\u003e\n\u003cli\u003eA file creation event is triggered as the extension file is created in the target directory.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies this file creation event based on the file name and path, filtering out known safe processes like firefox.exe.\u003c/li\u003e\n\u003cli\u003eThe malicious extension installs itself into the browser.\u003c/li\u003e\n\u003cli\u003eThe extension gains persistence by loading every time the browser starts.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform malicious actions such as monitoring browsing activity, stealing credentials, or injecting malicious content into web pages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious browser extensions can lead to persistent access to the compromised system, allowing attackers to steal sensitive information such as credentials, financial data, or personal information. This can result in financial loss, identity theft, and reputational damage. The installation of malicious extensions can also lead to the injection of malicious content into web pages, redirecting users to phishing sites or distributing malware. The scope of the impact can range from individual users to entire organizations, depending on the extent of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture the necessary file creation events for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eBrowser Extension Install via File Creation\u003c/code\u003e to your SIEM and tune the exclusions for your specific environment.\u003c/li\u003e\n\u003cli\u003eReview and update the list of known safe processes and extensions in the Sigma rule \u003ccode\u003eBrowser Extension Install via File Creation\u003c/code\u003e to minimize false positives.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting policies to restrict the installation of unauthorized browser extensions.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with installing browser extensions from untrusted sources and encourage them to only install extensions from official browser stores.\u003c/li\u003e\n\u003cli\u003eImplement policies to regularly review installed browser extensions across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-browser-extension-install/","summary":"This rule identifies the installation of potentially malicious browser extensions, which adversaries can leverage for persistence and unauthorized activity by monitoring file creation events in common browser extension directories on Windows systems.","title":"Detection of Malicious Browser Extension Installation","url":"https://feed.craftedsignal.io/briefs/2024-01-browser-extension-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","rdp","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the detection of unusually long Remote Desktop Protocol (RDP) sessions, identified by a pre-built Elastic machine learning job named \u003ccode\u003elmd_high_mean_rdp_session_duration_ea\u003c/code\u003e. Attackers can abuse RDP for lateral movement and maintaining persistence within a network. Extended RDP sessions can also be used to evade detection mechanisms. This detection leverages machine learning to identify deviations from normal RDP session durations, potentially indicating malicious activity. The detection rule has been available since October 2023, and the corresponding ML job is part of the Lateral Movement Detection integration, requiring Elastic Stack version 9.4.0 or later. The rule depends on the \u003ccode\u003ehost.ip\u003c/code\u003e field to be populated, which may require enabling host IP collection in Elastic Defend versions 8.18 and above.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network, possibly through phishing or exploiting a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages valid credentials or exploits a vulnerability to establish an RDP connection to a target system.\u003c/li\u003e\n\u003cli\u003eThe RDP session is maintained for an extended period, significantly longer than typical RDP sessions within the environment.\u003c/li\u003e\n\u003cli\u003eDuring the prolonged RDP session, the attacker performs reconnaissance, gathering information about the network and target systems.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, using the established RDP session as a persistent access point.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or transfers files, potentially installing malware or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe unusually long RDP session duration helps the attacker to remain undetected and evade security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and undetected lateral movement via prolonged RDP sessions can lead to significant data breaches, system compromise, and financial loss. The impact includes potential theft of sensitive information, disruption of business operations, and reputational damage. If an adversary establishes a persistent foothold via RDP, they can maintain long-term access to the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure \u003ccode\u003ehost.ip\u003c/code\u003e field is populated by enabling host IP collection if using Elastic Defend versions 8.18 and above, as described in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall and configure the Lateral Movement Detection integration in Kibana as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eTune the machine learning job \u003ccode\u003elmd_high_mean_rdp_session_duration_ea\u003c/code\u003e by adjusting the \u003ccode\u003eanomaly_threshold\u003c/code\u003e based on your environment and RDP usage patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate triggered alerts from the \u0026ldquo;High Mean of RDP Session Duration\u0026rdquo; rule following the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003etriage and analysis guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Windows RDP process events collected by the \u003ca href=\"https://docs.elastic.co/en/integrations/endpoint\"\u003eElastic Defend\u003c/a\u003e integration for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T18:10:00Z","date_published":"2024-01-24T18:10:00Z","id":"/briefs/2024-01-high-mean-rdp-session/","summary":"A machine learning job detected an unusually high mean of RDP session duration, indicative of potential lateral movement or persistent access attempts by adversaries abusing RDP.","title":"Unusually High Mean of RDP Session Duration Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-high-mean-rdp-session/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the potential for privilege escalation attempts on Windows systems, detected by Elastic\u0026rsquo;s Privileged Access Detection (PAD) integration. Specifically, a machine learning job identifies users accessing group names that are unusual for their typical behavior, especially those associated with elevated privileges. This activity, while potentially legitimate, can also signify malicious attempts to manipulate group memberships or escalate privileges. This detection relies on the \u003ccode\u003epad_windows_rare_group_name_by_user_ea\u003c/code\u003e machine learning job. The PAD integration requires Fleet and the Elastic Agent. While the source material does not specify an exact start date for this threat, the detection rule was initially created on 2025/02/18 and updated on 2026/04/01, suggesting ongoing relevance. The detection logic is designed to identify deviations from established user access patterns to identify abnormal activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (T1078):\u003c/strong\u003e An attacker gains initial access using valid accounts, potentially through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery (T1069):\u003c/strong\u003e The attacker performs permission group discovery to identify potential target groups for privilege escalation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Manipulation (T1098):\u003c/strong\u003e The attacker attempts to add the compromised account to a privileged group.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegistry Modification:\u003c/strong\u003e The attacker modifies the registry settings to enable the newly acquired privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (T1068):\u003c/strong\u003e The attacker exploits vulnerabilities or misconfigurations to escalate their privileges further.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (T1098):\u003c/strong\u003e The attacker attempts to maintain elevated privileges by adding the compromised account to additional local or domain groups (T1098.007).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With elevated privileges, the attacker moves laterally within the network, accessing sensitive resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or System Damage:\u003c/strong\u003e The attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or other forms of system damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise resulting from this type of attack can lead to unauthorized access to sensitive data, system instability, and potentially significant financial losses. While the source does not specify the number of victims or specific sectors targeted, privilege escalation is a common tactic used in a wide range of attacks, making this a broadly applicable threat. A successful privilege escalation could allow the attacker to gain complete control over the targeted system and potentially the entire network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Privileged Access Detection integration is installed and configured correctly in Elastic Security, including the \u003ccode\u003epad_windows_rare_group_name_by_user_ea\u003c/code\u003e machine learning job, as referenced in the \u003ccode\u003emachine_learning_job_id\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eEnable Windows event collection via Elastic Defend or the Windows integration within Fleet, as detailed in the Setup section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to add accounts to privileged groups and tune the rule based on your environment.\u003c/li\u003e\n\u003cli\u003eReview and update access control policies to ensure that only authorized users have access to sensitive group names and privileged operations, as mentioned in the Response and Remediation section.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for accessing sensitive group names to prevent unauthorized access, as recommended in the Response and Remediation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-unusual-group-access/","summary":"A machine learning job detected a user accessing an uncommon group name for privileged operations, potentially indicating privilege escalation or unauthorized account manipulation on a Windows system.","title":"Unusual Group Name Accessed by User via Privileged Access Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-group-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement by flagging spikes in the number of processes initiated during a single RDP session. The rule, based on an Elastic machine learning job named \u003ccode\u003elmd_high_sum_rdp_number_of_processes_ea\u003c/code\u003e, aims to uncover suspicious remote activity indicative of an attacker attempting to execute commands or deploy tools on a compromised host. This detection matters because RDP is a common vector for attackers to gain access to internal networks and subsequently move laterally. The detection leverages Windows RDP process events and file events collected by the Elastic Defend integration. Identifying anomalous process creation within RDP sessions can help defenders identify and respond to potential security incidents faster.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages valid credentials or exploits an RDP vulnerability to establish a remote session (T1021.001).\u003c/li\u003e\n\u003cli\u003eOnce connected via RDP, the attacker begins to execute a series of commands to enumerate the system and network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to install malware or other malicious tools, triggering the creation of multiple processes.\u003c/li\u003e\n\u003cli\u003eThe machine learning job detects a significant increase in the number of processes started within the RDP session.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, alerting analysts to the anomalous activity.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly installed tools to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack can lead to significant damage, including data breaches, system compromise, and financial loss. While the severity is low, a spike in RDP processes can be an early indicator of compromise. Attackers often use RDP to propagate through a network after gaining initial access, making this detection critical for preventing widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable host IP collection by following the configuration steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003eElastic Defend documentation\u003c/a\u003e to ensure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the rule\u0026rsquo;s setup instructions to enable the machine learning job \u003ccode\u003elmd_high_sum_rdp_number_of_processes_ea\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the anomaly threshold to reduce false positives based on your organization\u0026rsquo;s typical RDP usage.\u003c/li\u003e\n\u003cli\u003eInvestigate RDP sessions flagged by this rule to identify the source of the process spike and potential malicious activity as described in the rule\u0026rsquo;s \u0026ldquo;Triage and Analysis\u0026rdquo; notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T14:35:00Z","date_published":"2024-01-23T14:35:00Z","id":"/briefs/2024-01-rdp-process-spike/","summary":"A machine learning job has detected an unusually high number of processes started within a single Remote Desktop Protocol (RDP) session, potentially indicating lateral movement activity.","title":"Spike in Number of Processes in an RDP Session","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-process-spike/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Security Agent"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","registry modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro"],"content_html":"\u003cp\u003eAttackers commonly disable Windows Defender to evade detection and facilitate malicious activities. This involves modifying specific registry settings to either disable the service entirely or prevent it from starting automatically. The rule specifically identifies modifications to the \u003ccode\u003eDisableAntiSpyware\u003c/code\u003e and \u003ccode\u003eWinDefend\\\\Start\u003c/code\u003e registry keys. The DFIR Report has documented this technique in real-world incidents, highlighting its effectiveness in bypassing built-in security measures. This allows threat actors to operate with reduced risk of detection, enabling them to deploy malware, exfiltrate data, or perform other malicious actions without immediate interference from the endpoint security solution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to obtain the necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\u003c/code\u003e registry key to disable Windows Defender, setting its value to \u0026ldquo;1\u0026rdquo; or \u0026ldquo;0x00000001\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u003ccode\u003eHKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\u003c/code\u003e registry key to prevent the Windows Defender service from starting automatically. The attacker sets the value to \u0026ldquo;3\u0026rdquo; or \u0026ldquo;4\u0026rdquo; (or their hexadecimal equivalents \u0026ldquo;0x00000003\u0026rdquo;, \u0026ldquo;0x00000004\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker verifies that Windows Defender is disabled by checking the Security Center or attempting to run a scan.\u003c/li\u003e\n\u003cli\u003eWith Windows Defender disabled, the attacker proceeds to deploy malware or execute malicious commands without interference from the antivirus software.\u003c/li\u003e\n\u003cli\u003eThe attacker may further disable security settings and block security-related indicators.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, this attack can lead to a complete compromise of the affected system. With Windows Defender disabled, the system becomes vulnerable to malware infections, data exfiltration, and other malicious activities. This can result in financial losses, data breaches, and reputational damage for the targeted organization. The lack of immediate detection allows attackers to establish persistence and expand their foothold within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Registry Modification to Disable Windows Defender\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized changes to Windows Defender registry settings.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\u003c/code\u003e and \u003ccode\u003eHKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\u003c/code\u003e registry keys using the provided log sources.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process and user account responsible for the registry modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-defender-registry-disable/","summary":"Attackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.","title":"Windows Defender Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-registry-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","lolbins","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from an Elastic machine learning job named \u003ccode\u003eproblem_child_rare_process_by_parent_ea\u003c/code\u003e designed to detect Living off the Land (LotL) attacks on Windows systems. The model identifies processes spawned by parent processes that are statistically rare and have a high probability of being malicious based on the \u0026ldquo;ProblemChild\u0026rdquo; supervised learning model. This approach aims to uncover malicious activities that utilize legitimate system binaries (LOLbins) for nefarious purposes, effectively bypassing traditional signature-based detections. The alert relies on Windows process events collected by Elastic Defend or Winlogbeat with the LotL Attack Detection integration. This detection method becomes particularly important as attackers increasingly rely on existing tools to blend in with normal system activity and avoid raising suspicion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access via unspecified means (e.g., phishing, compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker leverages a legitimate system binary (LOLbin) such as \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLbin is used to execute a malicious payload or script.\u003c/li\u003e\n\u003cli\u003eThe malicious process is spawned as a child process of the LOLbin.\u003c/li\u003e\n\u003cli\u003eElastic\u0026rsquo;s machine learning model identifies the child process as rare and potentially malicious based on its parent-child relationship and other features.\u003c/li\u003e\n\u003cli\u003eThe rare process executes malicious commands, possibly downloading further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack utilizing LOLbins can lead to significant compromise, including data theft, system disruption, and further propagation within the network. The reliance on trusted system binaries makes these attacks difficult to detect with traditional methods, potentially allowing attackers to operate undetected for extended periods. The impact is directly correlated to the privileges of the initial compromised account and the effectiveness of lateral movement techniques employed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, as described in the rule\u0026rsquo;s \u003ccode\u003esetup\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview the parent and child process names identified in the alert to determine if they are legitimate applications or associated with LOLbins, as detailed in the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eInvestigate the command-line arguments used by the suspicious process for potentially malicious commands or scripts as described in the rule \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e setting in the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to reduce false positives, as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement exceptions for legitimate administrative tools and software updates to reduce false positives, as mentioned in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-unusual-process-spawn/","summary":"A machine learning job detected a suspicious Windows process, predicted malicious by the ProblemChild model and flagged as an unusual child process name for its parent, potentially indicating LOLbins usage and evading traditional detection.","title":"Unusual Process Spawned by a Parent Process via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-process-spawn/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["low"],"_cs_tags":["okta","identity","user-creation","credential-access"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert detects the creation of new user accounts within an Okta environment. While legitimate user creation is common, malicious actors may create accounts to gain unauthorized access to resources, escalate privileges, or establish persistence within the network. Monitoring for anomalous user creation activity, such as accounts created outside of normal business hours or with suspicious naming conventions, is crucial for identifying potential security breaches. Reviewing the source IP and administrator account used for the user creation can also provide valuable context.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Okta administrator account, potentially through phishing, credential stuffing, or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta admin portal.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the user management section within the Okta admin console.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new user account, potentially mimicking an existing user or using a generic naming convention.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the new user account specific roles and permissions, potentially granting elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the newly created account to access sensitive applications and data within the Okta-protected environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised or newly created account to maintain persistence within the Okta environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leading to unauthorized user creation can result in significant data breaches, privilege escalation, and unauthorized access to sensitive applications and resources. This could lead to financial loss, reputational damage, and compliance violations. The impact depends on the permissions granted to the created user and the applications they can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;New Okta User Created\u0026rdquo; to your SIEM to detect user creation events and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected user creation events for legitimacy, focusing on the source IP address and the administrator account used.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Okta administrator accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview Okta event logs regularly for suspicious activity, including user creation, permission changes, and application access.\u003c/li\u003e\n\u003cli\u003eEstablish baseline user creation patterns to identify anomalous behavior, such as accounts created outside of normal business hours.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-okta-user-created/","summary":"Detection of new user account creation in Okta, which could indicate malicious activity related to credential access.","title":"Okta User Account Created","url":"https://feed.craftedsignal.io/briefs/2024-01-23-okta-user-created/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement within a network by flagging unusual remote file transfers to directories that are not commonly monitored. Attackers often leverage less scrutinized file paths to evade standard security measures and deploy malicious payloads. This detection relies on the \u0026ldquo;lmd_rare_file_path_remote_transfer_ea\u0026rdquo; machine learning job within Elastic Security, which analyzes file and Windows RDP process events to identify anomalous file transfers based on the destination directory. The detection is part of the Lateral Movement Detection integration and requires Elastic Defend and Fleet for full functionality. This is important for defenders because attackers will try to blend in with normal file transfer activity by using uncommon directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the network (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target host for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a remote service (e.g., RDP, SMB) to connect to the target host.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to transfer malicious files to the target host.\u003c/li\u003e\n\u003cli\u003eInstead of using common directories like \u0026ldquo;C:\\Windows\\Temp\u0026rdquo; or \u0026ldquo;C:\\ProgramData\u0026rdquo;, the attacker chooses a less monitored directory to evade detection.\u003c/li\u003e\n\u003cli\u003eThe remote service is leveraged to perform the file transfer to the atypical directory.\u003c/li\u003e\n\u003cli\u003eThe transferred file is then executed, potentially leading to command execution or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective (e.g., data exfiltration, ransomware deployment) on the target host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, compromise of critical systems, and potential disruption of business operations. Although this detection is rated as low severity, successful lateral movement can lead to significant damage. The number of affected hosts and the severity of the impact depends on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. Lateral movement allows attackers to gain a deeper foothold within the network and increase the scope of their malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated in Elastic Defend events by following the configuration steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003eElastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eTune the anomaly_threshold in the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to minimize false positives, as mentioned in the rule\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the source and destination IP addresses, the user account involved, and the specific directory used for the file transfer as outlined in the \u003ca href=\"#triage-and-analysis\"\u003etriage and analysis section\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-unusual-remote-file-directory/","summary":"An Elastic machine learning job detects anomalous remote file transfers to unusual directories, indicating potential lateral movement by attackers attempting to bypass standard security monitoring.","title":"Unusual Remote File Directory Lateral Movement Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-22-unusual-remote-file-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows NT Domain"],"_cs_severities":["low"],"_cs_tags":["discovery","domain trust","lateral movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility is a command-line tool used to manage and troubleshoot Windows NT domains. While legitimate domain administrators may use this utility for information gathering, adversaries can also abuse it to enumerate domain trusts and gain insight into trust relationships, which exposes the state of Domain Controller (DC) replication within a Windows NT Domain. This activity is more suspicious in environments with Windows Server 2012 and newer, where its usage is less common for legitimate purposes. Attackers can leverage this information to facilitate lateral movement and other malicious activities within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enltest.exe\u003c/code\u003e with specific arguments such as \u003ccode\u003e/DOMAIN_TRUSTS\u003c/code\u003e, \u003ccode\u003e/DCLIST:*\u003c/code\u003e, \u003ccode\u003e/DCNAME:*\u003c/code\u003e, \u003ccode\u003e/DSGET*\u003c/code\u003e, \u003ccode\u003e/LSAQUERYFTI:*\u003c/code\u003e, \u003ccode\u003e/PARENTDOMAIN\u003c/code\u003e, or \u003ccode\u003e/BDC_QUERY:*\u003c/code\u003e to enumerate domain trusts.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility queries the Active Directory to gather information about domain trusts, domain controllers, and other domain-related information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003enltest.exe\u003c/code\u003e to identify trust relationships, domain controllers, and other relevant information about the domain infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to map out potential lateral movement paths within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages discovered trust relationships to authenticate to other domains or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems or domains, leveraging the discovered trust relationships and compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence and continues to perform malicious activities, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts via \u003ccode\u003enltest.exe\u003c/code\u003e can provide attackers with valuable information to facilitate lateral movement and escalate privileges within a Windows NT Domain. This can lead to the compromise of sensitive data, disruption of critical services, and ultimately, a complete takeover of the affected environment. While the specific number of victims and sectors targeted are unknown, the impact can be significant for organizations relying on Active Directory for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003enltest.exe\u003c/code\u003e with command-line arguments indicative of domain trust discovery, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003enltest.exe\u003c/code\u003e execution, especially when initiated by non-administrative users or from unusual locations, as identified by the Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process execution data for the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enltest.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-11T17:49:00Z","date_published":"2024-01-11T17:49:00Z","id":"/briefs/2024-01-nltest-domain-trust-discovery/","summary":"Adversaries may use the `nltest.exe` command-line utility to enumerate domain trusts and gain insight into trust relationships to facilitate lateral movement within a Microsoft Windows NT Domain.","title":"NLTEST.EXE Used for Domain Trust Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","command-and-control","web shell","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).\u003c/li\u003e\n\u003cli\u003eA web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the web shell through HTTP requests, using it as a command and control interface.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands on the server, initiating outbound network connections to non-standard ports.\u003c/li\u003e\n\u003cli\u003eThese connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to move laterally within the network, targeting other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003cli\u003eThe final objective is data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker\u0026rsquo;s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.\u003c/li\u003e\n\u003cli\u003eReview and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization\u0026rsquo;s specific network configuration and legitimate traffic patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:28:00Z","date_published":"2024-01-09T18:28:00Z","id":"/briefs/2024-01-uncommon-web-server-port/","summary":"The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.","title":"Uncommon Destination Port Connection by Web Server on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-uncommon-web-server-port/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["dga","command-and-control","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief describes a detection of potential DGA (Domain Generation Algorithm) activity identified by an Elastic machine learning job. DGAs are often used by malware for command and control (C2) communication, generating domain names dynamically to evade detection. The machine learning job, \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e, analyzes DNS requests to identify source IP addresses that exhibit a high probability of DGA activity. This detection relies on the DGA Detection integration, which includes an ML-based framework to detect DGA activity in DNS events. The integration requires Fleet and DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. This activity matters for defenders because successful DGA-based C2 channels can allow malware to maintain communication and control even when individual malicious domains are blocked.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the network, potentially through unpatched vulnerabilities or social engineering.\u003c/li\u003e\n\u003cli\u003eMalware is deployed on the compromised host. This malware contains a DGA.\u003c/li\u003e\n\u003cli\u003eThe malware uses the DGA to generate a list of potential domain names.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates DNS requests to resolve the generated domain names.\u003c/li\u003e\n\u003cli\u003eThe DNS requests are sent to internal or external DNS servers.\u003c/li\u003e\n\u003cli\u003eThe machine learning job \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e analyzes the DNS requests, specifically looking for source IPs with a high aggregate probability of generating DGA domains.\u003c/li\u003e\n\u003cli\u003eIf the anomaly score exceeds the threshold (70), an alert is triggered.\u003c/li\u003e\n\u003cli\u003eThe malware successfully establishes a C2 channel with a dynamically generated domain, enabling further malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of DGA-based command and control can lead to persistent malware infections, data exfiltration, and further compromise of systems within the network. While the severity is rated low, the potential impact can escalate quickly if the C2 channel is used for more damaging activities. This detection focuses on identifying potential DGA activity, enabling security teams to investigate and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the DGA Detection integration is installed and properly configured, including the machine learning job \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e (references: \u003ca href=\"https://docs.elastic.co/en/integrations/dga\"\u003eElastic DGA Detection documentation\u003c/a\u003e, \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003eprebuilt ML jobs\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eVerify that DNS events are being collected by Elastic Defend, Network Packet Capture, or Packetbeat and that the data view used by the machine learning job includes these events (references: \u003ca href=\"https://docs.elastic.co/en/integrations/endpoint\"\u003eElastic Defend\u003c/a\u003e, \u003ca href=\"https://docs.elastic.co/integrations/network_traffic\"\u003eNetwork Packet Capture\u003c/a\u003e, \u003ca href=\"https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html\"\u003ePacketbeat\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (currently 70) in the machine learning job based on your environment to reduce false positives and ensure timely detection of DGA activity.\u003c/li\u003e\n\u003cli\u003eReview and implement the triage and analysis steps outlined in the rule\u0026rsquo;s note section, focusing on identifying the source IP, analyzing DNS request patterns, and cross-referencing domains with threat intelligence feeds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-dga-activity/","summary":"A machine learning job detected potential DGA (domain generation algorithm) activity indicative of malware command and control (C2) channels, identifying source IP addresses making DNS requests with a high probability of being DGA-generated, a technique used by adversaries to evade detection.","title":"Potential DGA Activity Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-dga-activity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows Defender Advanced Threat Protection","SupportAssistAgent","Obkio Agent","SolarWinds Agent","SecuraAgent"],"_cs_severities":["low"],"_cs_tags":["discovery","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Dell","Obkio","SolarWinds","Infraon Corp"],"content_html":"\u003cp\u003eThis detection rule identifies instances where the SYSTEM account is used to execute account discovery utilities, such as \u003ccode\u003ewhoami.exe\u003c/code\u003e and \u003ccode\u003enet1.exe\u003c/code\u003e. This behavior is commonly observed after an attacker has successfully achieved privilege escalation within a Windows environment, or after exploiting a web application. The rule is designed to detect post-exploitation discovery activity where an adversary attempts to gain situational awareness by enumerating accounts and system information using the elevated SYSTEM context. The rule leverages data from Elastic Defend and Sysmon Event ID 1 to identify these behaviors, helping defenders spot potential privilege escalation and lateral movement attempts. The original rule was created 2020/03/18 and updated 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through exploiting a vulnerability in a web application or through phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to the SYSTEM account, possibly by exploiting a local privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e via the SYSTEM account to enumerate user accounts and gather system information.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e process is spawned by a parent process such as a web server process (e.g., w3wp.exe) or a service process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered account information to plan further actions, such as lateral movement or credential theft.\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003enet1.exe\u003c/code\u003e to query domain information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained information to identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is often data exfiltration, deployment of ransomware, or further compromise of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Although this rule has low severity, the execution of discovery commands by the SYSTEM account can be a critical indicator of compromise. Early detection of such activity can prevent more severe damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect account discovery commands executed via the SYSTEM account and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the necessary data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process execution chain to identify the source of the SYSTEM account usage.\u003c/li\u003e\n\u003cli\u003eIf the process tree includes a web-application server process, investigate suspicious file creation or modification to assess for webshell backdoors.\u003c/li\u003e\n\u003cli\u003eReview and harden web application security to prevent initial access and privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-09-system-account-discovery/","summary":"The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.","title":"Account Discovery Command via SYSTEM Account","url":"https://feed.craftedsignal.io/briefs/2024-01-09-system-account-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access","okta","group-lifecycle"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert identifies potential privileged access activity within Okta environments by detecting unusual spikes in group lifecycle change events. The activity is detected using Elastic\u0026rsquo;s Anomaly Detection feature. Adversaries may manipulate group structures to achieve privilege escalation, establish persistence, or move laterally within an organization. The anomaly detection job, \u003ccode\u003epad_okta_spike_in_group_lifecycle_changes_ea\u003c/code\u003e, monitors these changes. This activity matters because unauthorized group modifications can grant attackers elevated permissions, compromise sensitive data, and disrupt normal business operations. The detection is based on machine learning analysis of Okta logs collected via an integration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a user account, possibly through credential theft or phishing (not directly observed, but a common precursor).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Enumeration:\u003c/strong\u003e The attacker enumerates existing groups and their memberships within the Okta environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGroup Manipulation:\u003c/strong\u003e The attacker initiates unauthorized group lifecycle changes, such as adding or removing members, to escalate privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By adding their compromised account to a privileged group (e.g., Okta administrators, application owners), the attacker gains elevated access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker leverages their newly acquired privileges to access other systems or applications within the organization\u0026rsquo;s network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker modifies group memberships to maintain persistent access even if their initial access is revoked (T1098.007).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access/Exfiltration:\u003c/strong\u003e The attacker accesses sensitive data or resources that were previously inaccessible due to insufficient privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, compromise of critical systems, and disruption of business operations. The number of victims and the scope of the impact depend on the level of access achieved by the attacker and the sensitivity of the compromised data. While the alert is low severity, the potential consequences of privilege escalation are significant, requiring prompt investigation and remediation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate triggered alerts by reviewing the specific group lifecycle change events that triggered the alert in Okta logs to identify which groups were altered and the nature of the changes.\u003c/li\u003e\n\u003cli\u003eExamine the user accounts associated with the changes to determine if they have a history of suspicious activity or if they have recently been granted elevated privileges using the provided investigation steps.\u003c/li\u003e\n\u003cli\u003eTune the machine learning job anomaly threshold \u003ccode\u003eanomaly_threshold\u003c/code\u003e in the rule configuration to reduce false positives based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-okta-group-lifecycle-spike/","summary":"A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential privilege escalation activity, where adversaries may be altering group structures to escalate privileges, maintain persistence, or facilitate lateral movement within an organization’s identity management system.","title":"Okta Group Lifecycle Change Spike Indicating Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-group-lifecycle-spike/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access","okta","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert leverages machine learning to identify deviations in IP usage patterns associated with privileged Okta operations, flagging unusual access attempts that could signify privilege escalation or account compromise. It identifies a user performing privileged operations in Okta from an uncommon source IP, potentially indicating account compromise, misuse of administrative privileges, or an attacker leveraging a new network location. The detection rule analyzes Okta logs, specifically focusing on events related to privileged operations and source IP addresses, to establish baseline behavior and detect anomalies. This detection is important because Okta controls access to many downstream applications, and any compromise of Okta privileges can lead to widespread data breaches. The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. The minimum stack version is 9.4.0\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to a valid user account through phishing, credential stuffing, or other means (T1078, T1078.004).\u003c/li\u003e\n\u003cli\u003eThe adversary leverages the compromised account to authenticate to Okta, potentially bypassing or circumventing MFA.\u003c/li\u003e\n\u003cli\u003eThe adversary attempts to perform privileged operations within Okta, such as modifying user permissions, accessing sensitive applications, or changing security settings.\u003c/li\u003e\n\u003cli\u003eOkta logs record the privileged operation attempt, including the source IP address of the request.\u003c/li\u003e\n\u003cli\u003eThe machine learning job analyzes the source IP address and compares it to the user\u0026rsquo;s historical access patterns.\u003c/li\u003e\n\u003cli\u003eIf the source IP address is determined to be unusual or rare for the user, the machine learning job generates an anomaly.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Unusual Source IP for Okta Privileged Operations Detected\u0026rdquo; rule triggers based on the anomaly score exceeding a predefined threshold (anomaly_threshold = 75).\u003c/li\u003e\n\u003cli\u003eThe alert triggers, potentially leading to account takeover, data exfiltration, or further privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive applications and data managed by Okta. This can result in data breaches, financial loss, reputational damage, and legal liabilities. Since Okta is a widely used identity management service, a compromise can impact numerous downstream applications and services that rely on Okta for authentication and authorization. The number of affected users and systems can vary depending on the scope of the privileged access and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Privileged Access Detection integration assets, as well as Okta logs collected by integrations such as Okta, as described in the \u0026ldquo;Setup\u0026rdquo; section of the rule to enable the machine learning job.\u003c/li\u003e\n\u003cli\u003eReview the source IP address flagged by the alert to determine its geolocation and assess if it aligns with the user\u0026rsquo;s typical access patterns or known locations, as described in the rule\u0026rsquo;s \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e parameter in the machine learning job based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eCorrelate the flagged IP address with any known threat intelligence feeds to check for any history of malicious activity associated with it, as described in the rule\u0026rsquo;s \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-okta-unusual-ip/","summary":"A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity indicative of account compromise or privilege escalation.","title":"Unusual Source IP for Okta Privileged Operations Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-unusual-ip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["execution","initial-access","defense-evasion","discovery"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PDF reader applications as an initial access vector, exploiting vulnerabilities within these programs or using social engineering to trick users into opening malicious PDF documents. Upon successful exploitation, adversaries often spawn built-in Windows utilities from the compromised PDF reader process to perform reconnaissance, escalate privileges, or establish persistence. This activity is designed to blend in with normal system operations, making it difficult to detect without specific monitoring and detection rules. The targeted software commonly includes Adobe Acrobat, Adobe Reader, and Foxit Reader. Defenders should be vigilant for unexpected child processes of PDF readers, especially command-line interpreters and system administration tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious PDF document via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user opens the PDF document using a vulnerable PDF reader application (e.g., Adobe Acrobat, Foxit Reader).\u003c/li\u003e\n\u003cli\u003eThe PDF document exploits a vulnerability or uses a malicious script to execute an arbitrary command.\u003c/li\u003e\n\u003cli\u003eThe PDF reader application spawns a command-line interpreter (e.g., cmd.exe, powershell.exe) or a system administration tool (e.g., reg.exe, net.exe).\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands to gather system information (e.g., ipconfig.exe, systeminfo.exe, whoami.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to discover network configuration, user accounts, or running processes.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the spawned process to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and can proceed with lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PDF reader applications can lead to initial access, privilege escalation, and further compromise of the affected system. While individual incidents may have a low risk score, widespread exploitation can lead to significant data breaches, system downtime, and reputational damage. The use of legitimate system utilities for malicious purposes can make detection challenging, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of suspicious child processes (Sysmon Event ID 1, Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious PDF Reader Child Process\u0026rdquo; to your SIEM and tune for your environment to detect the execution of suspicious processes spawned by PDF reader applications.\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from PDF reader applications to unusual or external IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T18:45:00Z","date_published":"2024-01-04T18:45:00Z","id":"/briefs/2024-01-suspicious-pdf-child-process/","summary":"Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.","title":"Suspicious PDF Reader Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-pdf-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub"],"_cs_severities":["low"],"_cs_tags":["github","repository","archive","unarchive","persistence","impact","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized changes to GitHub repository archive status. Attackers may archive or unarchive repositories as a means of persistence, to impact the availability of resources, or to impair defenses by hiding malicious code. The activity is logged within GitHub\u0026rsquo;s audit logs and can be monitored to identify potentially malicious actions. Monitoring these events can help organizations identify and respond to unauthorized modifications of their GitHub repositories. This is especially relevant for organizations relying heavily on GitHub for code management and collaboration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with repository administration privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub platform using the compromised credentials or a stolen session token.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the settings page of a target repository.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the repository\u0026rsquo;s archive status, either archiving or unarchiving it depending on their objective.\u003c/li\u003e\n\u003cli\u003eGitHub logs the \u0026lsquo;repo.archived\u0026rsquo; or \u0026lsquo;repo.unarchived\u0026rsquo; action in the organization\u0026rsquo;s audit logs.\u003c/li\u003e\n\u003cli\u003e(If archiving) Legitimate users may lose access to the repository and its code, causing disruption.\u003c/li\u003e\n\u003cli\u003e(If unarchiving) The attacker might reintroduce vulnerable code or malicious content into an active repository.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to exploit the unarchived repository for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of unauthorized repository archiving or unarchiving can range from temporary disruption of services to the reintroduction of vulnerable code. A successful attack could lead to data breaches, code compromise, or supply chain attacks. The number of affected repositories depends on the scope of the attacker\u0026rsquo;s access and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GitHub Repository Archive Status Changed\u0026rdquo; to your SIEM and tune for your environment. This rule detects the \u003ccode\u003erepo.archived\u003c/code\u003e and \u003ccode\u003erepo.unarchived\u003c/code\u003e actions in GitHub audit logs (logsource: github, service: audit).\u003c/li\u003e\n\u003cli\u003eReview GitHub audit logs regularly for unexpected repository archiving or unarchiving events.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected events to determine if the actions were authorized.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T15:00:00Z","date_published":"2024-01-04T15:00:00Z","id":"/briefs/2024-01-github-repo-archive-status-changed/","summary":"Detection of GitHub repository archiving or unarchiving events, which could indicate malicious activity such as persistence, impact, or defense impairment.","title":"GitHub Repository Archive Status Changed","url":"https://feed.craftedsignal.io/briefs/2024-01-github-repo-archive-status-changed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from a machine learning job designed to detect anomalous RDP session start times. RDP is a common vector for lateral movement, and attackers may initiate sessions during off-peak hours to evade detection. The machine learning model flags sessions started outside of normal business hours or on unusual weekdays. While not inherently malicious, this activity warrants investigation as it can be an early indicator of a broader attack. The rule is part of the Lateral Movement Detection (LMD) integration from Elastic, requiring a minimum stack version of 9.4.0 and leverages Entity Analytics (EA) fields. Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events using Elastic\u0026rsquo;s Anomaly Detection feature.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through compromised credentials or a software vulnerability (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages RDP to attempt lateral movement to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe RDP session is initiated at an unusual time or day, deviating from typical user behavior.\u003c/li\u003e\n\u003cli\u003eThe machine learning job detects this anomaly based on the unusual RDP session start time.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered, flagging the potentially suspicious activity.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to access sensitive data or resources on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker could install malware or establish persistence mechanisms (not described in source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack can allow an attacker to gain access to sensitive data, compromise critical systems, and ultimately disrupt business operations. While the detection of an unusual RDP session is an early warning sign, it is critical to investigate these alerts promptly to prevent further escalation. If the suspicious RDP session is part of a broader attack, the impact could range from data theft to ransomware deployment. The lack of immediate action could lead to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable host IP collection within Elastic Defend if using versions 8.18 and above, following the configuration steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure the Lateral Movement Detection integration assets are installed, as well as file and Windows RDP process events collected by the Elastic Defend integration, as mentioned in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the \u0026ldquo;Unusual Time or Day for an RDP Session\u0026rdquo; rule, correlating the RDP session with other security events.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (currently 70) to reduce false positives while maintaining effective detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:50:00Z","date_published":"2024-01-03T18:50:00Z","id":"/briefs/2024-01-unusual-rdp-session/","summary":"A machine learning job detected an RDP session initiated at an unusual time or day, potentially indicating lateral movement activity within a network.","title":"Unusual Time or Day for an RDP Session Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-rdp-session/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","masquerading","LOLbins","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies suspicious Windows processes exhibiting high malicious probability scores. The rule leverages machine learning to detect clusters of processes that may be indicative of defense evasion tactics, such as masquerading or the use of LOLbins (Living Off The Land Binaries). Specifically, a supervised ML model (ProblemChild) predicts whether a process is malicious, and an unsupervised ML model assesses the aggregate score of process clusters on a single host. The rule focuses on identifying unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. It was last updated on 2026/04/01 and requires Elastic Stack version 9.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows host through various methods, such as exploiting vulnerabilities or using compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a LOLBin (e.g., PowerShell, cmd.exe, mshta.exe) on the compromised host.\u003c/li\u003e\n\u003cli\u003eMasquerading: The attacker attempts to masquerade the malicious activity by naming or placing the LOLBin within a legitimate system folder.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker utilizes the LOLBin with specific command-line arguments designed to evade detection by traditional signature-based security solutions.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker may attempt to escalate privileges using further LOLBINS or other techniques.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker may use the compromised host to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eCommand and Control (Optional): The attacker may establish command and control (C2) communication with an external server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to various negative impacts, including data breaches, financial loss, and reputational damage. The rule is assigned a low severity, due to it likely being a supplemental detection to other rules. Lateral movement and exfiltration can also be accomplished. There is no information available on the number of victims and specific sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, to collect Windows process events as outlined in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts as suggested in the investigation guide.\u003c/li\u003e\n\u003cli\u003eExamine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading, per the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized or suspicious processes from executing in the future, as advised in the remediation steps.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job (\u003ccode\u003eproblem_child_high_sum_by_host_ea\u003c/code\u003e) to reduce false positives based on your environment\u0026rsquo;s specific characteristics and activity patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-suspicious-windows-process/","summary":"A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, potentially indicating masquerading and defense evasion tactics.","title":"Suspicious Windows Process Cluster Detection via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-windows-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Windows"],"_cs_severities":["low"],"_cs_tags":["discovery","account-discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eAttackers often perform reconnaissance activities within a compromised environment to understand the available resources and potential targets. This reconnaissance helps them plan subsequent actions, such as privilege escalation and lateral movement. This activity involves using built-in Windows utilities like \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e to enumerate administrator-related user accounts and groups. This information can reveal potential targets for credential compromise or other post-exploitation activities. Lower privileged accounts commonly perform this enumeration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e with arguments to list users and groups.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output for administrator-related keywords like \u0026ldquo;admin\u0026rdquo;, \u0026ldquo;Domain Admins\u0026rdquo;, \u0026ldquo;Enterprise Admins\u0026rdquo;, \u0026ldquo;Remote Desktop Users\u0026rdquo;, or \u0026ldquo;Organization Management\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e to query user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from \u003ccode\u003ewmic.exe\u003c/code\u003e to identify administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged accounts to target for credential theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the identified accounts to perform lateral movement or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of administrator accounts allows an attacker to identify high-value targets within the environment. This can lead to credential theft, privilege escalation, lateral movement, and ultimately, unauthorized access to sensitive data or systems. While the risk score is low, this activity serves as a precursor to more serious compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e commands with arguments related to user and group enumeration using the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of lower-privileged accounts executing these commands and filter out authorized administrative accounts performing the same actions.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture the necessary events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:14:00Z","date_published":"2024-01-03T17:14:00Z","id":"/briefs/2024-01-admin-recon/","summary":"Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.","title":"Windows Account Discovery of Administrator Accounts","url":"https://feed.craftedsignal.io/briefs/2024-01-admin-recon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data-exfiltration","macos","airdrop"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential data exfiltration attempts via Apple\u0026rsquo;s Airdrop feature. A machine learning job monitors the volume of data transferred to external devices and flags unusual spikes. While Airdrop facilitates legitimate file sharing between Apple devices, it can be abused by malicious actors to exfiltrate sensitive data. This rule leverages the \u0026ldquo;ded_high_bytes_written_to_external_device_airdrop_ea\u0026rdquo; machine learning job and requires the Data Exfiltration Detection integration to be installed, along with network and file events collected by Elastic Defend and Network Packet Capture (for network events only). The rule is designed to detect anomalies in data transfer patterns, providing early warning of potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a macOS system within the target network.\u003c/li\u003e\n\u003cli\u003eAttacker identifies sensitive data stored on the compromised system.\u003c/li\u003e\n\u003cli\u003eAttacker uses Airdrop to initiate a transfer of the identified data to a nearby device.\u003c/li\u003e\n\u003cli\u003eThe receiving device is controlled by the attacker and configured to accept Airdrop transfers.\u003c/li\u003e\n\u003cli\u003eA large volume of data is transferred via Airdrop, triggering the machine learning detection.\u003c/li\u003e\n\u003cli\u003eThe data is received by the attacker, completing the exfiltration process.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to cover their tracks by deleting files or logs related to the Airdrop transfer.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the unauthorized disclosure of sensitive data. The impact depends on the nature of the exfiltrated data, potentially leading to financial loss, reputational damage, or legal repercussions. The severity is relatively low as it depends on the data being transferred.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Data Exfiltration Detection integration in Elastic, including the preconfigured anomaly detection jobs, as required by the rule setup instructions to enable the machine learning detection (Data Exfiltration Detection integration).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Spike in Bytes Sent to an External Device via Airdrop\u0026rdquo; rule, focusing on identifying the involved device, user, and the nature of the transferred data (Spike in Bytes Sent to an External Device via Airdrop).\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring on the affected device and similar devices to detect any further anomalous Airdrop activities, as mentioned in the response and remediation steps (Spike in Bytes Sent to an External Device via Airdrop).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-airdrop-exfiltration/","summary":"A machine learning job has detected a spike in bytes of data written to an external device via Airdrop, potentially indicating illicit data copying or transfer activities.","title":"Spike in Bytes Sent to an External Device via Airdrop","url":"https://feed.craftedsignal.io/briefs/2024-01-airdrop-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","machine-learning","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from a machine learning job designed to detect anomalous command-line activity on Linux systems. Specifically, it focuses on identifying instances where privileged commands are executed with unusually high entropy. High entropy in command lines often signifies obfuscation, which threat actors use to mask their activities and evade detection. This rule leverages the Privileged Access Detection (PAD) integration from Elastic to identify these anomalies. The PAD integration requires Linux logs collected by Elastic Defend or Sysmon Linux. The detection logic analyzes command lines associated with privileged commands, flagging those with a high degree of randomness or complexity. This can indicate unauthorized use of valid accounts (T1078) or attempts at privilege escalation, especially if combined with defense evasion techniques (T1027) such as obfuscating commands. The rule and associated ML job have been in production since Feb 2025 and require Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, potentially through a compromised account or vulnerability exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged commands they need to execute to achieve their objectives, such as gaining root access or modifying sensitive files.\u003c/li\u003e\n\u003cli\u003eTo evade detection, the attacker obfuscates their commands using techniques like encoding, compression, or complex string manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the obfuscated privileged commands via the command line.\u003c/li\u003e\n\u003cli\u003eElastic Defend or Sysmon Linux captures the command-line activity and logs it to Elasticsearch.\u003c/li\u003e\n\u003cli\u003eThe Privileged Access Detection ML job analyzes the command lines and calculates their entropy.\u003c/li\u003e\n\u003cli\u003eIf the entropy exceeds a predefined threshold, the ML job flags the activity as anomalous and generates an alert.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the alert to determine the nature of the suspicious activity and take appropriate action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation can grant an attacker complete control over a Linux system, allowing them to steal sensitive data, install malware, or disrupt critical services. While this rule itself triggers on unusual command line activity, the underlying behavior could lead to a full system compromise. The number of potential victims is directly related to the scope of the Linux environment being monitored. Sectors commonly targeted by privilege escalation attacks include technology, finance, and government.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Privileged Access Detection integration and ensure that Linux logs from Elastic Defend or Sysmon Linux are being ingested (Setup section).\u003c/li\u003e\n\u003cli\u003eReview and tune the machine learning job \u003ccode\u003epad_linux_high_median_process_command_line_entropy_by_user_ea\u003c/code\u003e to minimize false positives based on your environment (False positive analysis section in rule).\u003c/li\u003e\n\u003cli\u003eCreate a case management workflow triggered by the \u0026ldquo;High Command Line Entropy Detected for Privileged Commands\u0026rdquo; rule to ensure alerts are promptly investigated.\u003c/li\u003e\n\u003cli\u003eImplement the remediation steps outlined in the investigation guide to contain and eradicate any confirmed malicious activity (Response and remediation section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-high-command-line-entropy/","summary":"A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user on Linux systems, suggesting possible privileged access activity through command lines, indicating potential obfuscation or unauthorized use of privileged access.","title":"High Command Line Entropy Detected for Privileged Commands on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-high-command-line-entropy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief focuses on a detection rule from Elastic\u0026rsquo;s Lateral Movement Detection (LMD) integration that utilizes machine learning to identify unusual remote file transfers. The rule, \u0026ldquo;Unusual Remote File Extension,\u0026rdquo; is designed to detect anomalies in file transfers, specifically those involving rare file extensions, which could be indicative of lateral movement within a network. This rule leverages the \u003ccode\u003elmd_rare_file_extension_remote_transfer_ea\u003c/code\u003e machine learning job ID. The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. The rule operates by analyzing \u003ccode\u003ehost.ip\u003c/code\u003e and detecting anomalies in file transfers, where host IP collection needs to be enabled on Elastic Defend versions 8.18 and above.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems using remote services like RDP or SMB.\u003c/li\u003e\n\u003cli\u003eAs part of the lateral movement, the attacker transfers tools or files to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a rare or uncommon file extension for the transferred files, potentially to evade detection based on known file types.\u003c/li\u003e\n\u003cli\u003eThe file transfer occurs over the network, triggering file event logs on the source and destination systems.\u003c/li\u003e\n\u003cli\u003eElastic Defend, with host IP collection enabled, monitors these file events and forwards the data to the Elastic Security platform.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Unusual Remote File Extension\u0026rdquo; machine learning job identifies the transfer of a file with a rare extension, comparing it against historical data.\u003c/li\u003e\n\u003cli\u003eIf the file extension is deemed anomalous based on its rarity, the rule triggers, indicating potential lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack can allow an adversary to gain access to sensitive data, critical systems, or privileged accounts. By using uncommon file extensions, attackers attempt to bypass security measures that rely on identifying known file types. This can lead to undetected malware deployment, data exfiltration, or further compromise of the network. Though this rule is of low severity, it can provide an early warning signal to stop an attack before greater damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the \u003ccode\u003ehost.ip\u003c/code\u003e field within Elastic Defend configurations (versions 8.18 and above) to ensure proper data collection for the machine learning job.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets within Kibana as per the provided setup instructions to activate the \u0026ldquo;Unusual Remote File Extension\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job to reduce false positives, considering your organization\u0026rsquo;s typical file transfer patterns.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Remote File Extension Transfer\u0026rdquo; Sigma rule to identify file transfers with rare extensions using process creation logs.\u003c/li\u003e\n\u003cli\u003eReview the triage and analysis steps in the rule\u0026rsquo;s documentation to effectively investigate and respond to triggered alerts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-unusual-remote-file-extension/","summary":"An Elastic machine learning rule detects unusual remote file transfers with rare extensions, potentially indicating lateral movement activity on a host and suggesting adversaries bypassing security measures.","title":"Unusual Remote File Extension Detected via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-03-unusual-remote-file-extension/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies unusual spikes in special privilege use events on Windows systems, leveraging machine learning to detect anomalies. The rule, designed for the Elastic platform, uses the \u0026ldquo;pad_windows_high_count_special_privilege_use_events_ea\u0026rdquo; machine learning job to identify deviations from established baselines of user behavior related to privileged operations. The rule focuses on events collected via the Elastic Defend and Windows integrations. A sudden increase in these events may signify an attempt to escalate privileges, execute unauthorized tasks, or maintain persistence within a system. By monitoring these anomalies, defenders can identify potential misuse of privileges and investigate suspicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through valid accounts (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges to gain higher-level access within the system (TA0004).\u003c/li\u003e\n\u003cli\u003eThis privilege escalation involves performing privileged operations or service calls.\u003c/li\u003e\n\u003cli\u003eThe attacker may use access token manipulation (T1134) to impersonate legitimate users or processes with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe system records these privileged operations as special privilege use events.\u003c/li\u003e\n\u003cli\u003eThe machine learning model detects a significant spike in these events compared to the user\u0026rsquo;s baseline behavior.\u003c/li\u003e\n\u003cli\u003eThe detection triggers an alert, indicating a potential security incident.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages elevated privileges to execute unauthorized tasks or maintain persistence (TA0005).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack can grant an attacker complete control over a compromised system. The attacker can then access sensitive data, install malware, or move laterally to other systems within the network. While this specific detection has a low severity, a successful attack could lead to significant data breaches, system downtime, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Privileged Access Detection integration assets, including the preconfigured anomaly detection jobs, as outlined in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Windows event collection using Elastic Defend or the Windows integration to provide the necessary data for the machine learning job.\u003c/li\u003e\n\u003cli\u003eReview user accounts associated with spikes in special privilege use events, investigating whether the activity aligns with their normal behavior, as described in the investigation guide.\u003c/li\u003e\n\u003cli\u003eEscalate incidents with potential privilege escalation techniques to the security operations team for deeper investigation, referencing MITRE ATT\u0026amp;CK technique T1068.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-spike-privilege-use/","summary":"A machine learning job detected an unusual increase in special privilege usage events on Windows, such as privileged operations and service calls, potentially indicating unauthorized privileged access and privilege escalation attempts.","title":"Spike in Special Privilege Use Events","url":"https://feed.craftedsignal.io/briefs/2024-01-spike-privilege-use/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data-exfiltration","machine-learning","endpoint"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief addresses a machine learning detection identifying anomalous data transfer volumes to external devices. The Elastic Data Exfiltration Detection integration includes a prebuilt machine learning job, \u003ccode\u003eded_high_bytes_written_to_external_device_ea\u003c/code\u003e, designed to detect spikes in data written to external devices. This behavior is considered anomalous because typical operational settings usually exhibit predictable patterns or ranges of data transfer to external storage. The detection is triggered when the amount of data written significantly deviates from the established baseline, potentially signaling unauthorized data copying or exfiltration attempts. This detection focuses on identifying abnormalities, providing an alert for investigation of possible illicit data transfer activities. The integration requires the Elastic Defend integration to collect file events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their access to locate and stage sensitive data for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker connects an external storage device, such as a USB drive, to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a large data transfer operation, copying the staged data to the external device.\u003c/li\u003e\n\u003cli\u003eElastic Defend monitors file events and detects a significant increase in bytes written to the external device.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eded_high_bytes_written_to_external_device_ea\u003c/code\u003e machine learning job identifies the unusual data transfer volume.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered based on the anomaly threshold defined in the Data Exfiltration Detection rule.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the external device, completing the exfiltration of the sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of data to external devices can lead to significant data breaches. The impact varies depending on the sensitivity and volume of the data stolen. This activity can result in financial losses, reputational damage, legal repercussions, and compromise of intellectual property. While the specific number of affected organizations is unknown, any organization that allows the use of external storage devices is potentially vulnerable. This issue poses a risk across various sectors, particularly those handling sensitive data, such as finance, healthcare, and technology.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Data Exfiltration Detection integration and configure the preconfigured anomaly detection jobs as described in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e (currently set to 75) based on your environment\u0026rsquo;s baseline data transfer patterns to reduce false positives.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices as mentioned in the \u0026ldquo;Response and remediation\u0026rdquo; section of the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCreate exceptions for known backup operations, software updates, and data archiving processes that may trigger false positives, referencing the \u0026ldquo;False positive analysis\u0026rdquo; section of the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring on similar devices and network segments to detect any further anomalous data transfer activities, based on the rule\u0026rsquo;s description and \u0026ldquo;Response and remediation\u0026rdquo; section of the \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-exfiltration-ml-high-bytes/","summary":"A machine learning job has detected high bytes of data written to an external device, potentially indicating illicit data copying or transfer activities leading to data exfiltration over a physical medium such as USB.","title":"Machine Learning Detects High Bytes Written to External Device","url":"https://feed.craftedsignal.io/briefs/2024-01-exfiltration-ml-high-bytes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","OneDrive","Chrome","Opera","Fiddler","PowerToys","Vivaldi","Zen Browser","WaveBrowser","MicrosoftEdgeCP"],"_cs_severities":["low"],"_cs_tags":["command-and-control","webservice","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Google","BraveSoftware","Opera","Vivaldi","Wavesor Software","Discord","Telegram","Facebook","Trello","GitHub","Supabase"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malicious file executes a process outside of typical program directories (e.g., \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis process initiates a DNS query to a domain associated with a commonly abused web service (e.g., \u003ccode\u003epastebin.com\u003c/code\u003e, \u003ccode\u003egithubusercontent.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe DNS query resolves to an IP address, and a network connection is established to the web service.\u003c/li\u003e\n\u003cli\u003eThe malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Connection to Commonly Abused Web Services\u0026rdquo; to your SIEM and tune it for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the \u0026ldquo;DNS Query to Commonly Abused Web Services\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eReview and update the list of excluded processes in the Sigma rule to reflect your organization\u0026rsquo;s approved software and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-common-web-services-c2/","summary":"This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.","title":"Detection of Command and Control Activity via Common Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Actions"],"_cs_severities":["low"],"_cs_tags":["github","self-hosted-runner","audit-log","devops","supply-chain"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting changes to self-hosted runner configurations within GitHub environments. Self-hosted runners are systems deployed and managed by users to execute jobs from GitHub Actions, providing flexibility and control over the execution environment. Monitoring these runners is crucial because unauthorized modifications can lead to various malicious activities, including data collection, persistence, privilege escalation, or even initial access. The rule provided detects such changes based on audit logs, requiring administrators to validate the changes through the GitHub UI for complete context. Detecting these modifications early can help prevent or mitigate potential security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub organization or repository with permissions to manage self-hosted runners. This could be achieved through compromised credentials (T1078.004) or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the configuration of an existing self-hosted runner group or creates a new runner group (org.runner_group_created).\u003c/li\u003e\n\u003cli\u003eThe attacker adds or removes runners from a runner group (org.runner_group_runners_added, org.runner_group_runner_removed, org.runner_group_updated).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker registers a new self-hosted runner within the environment (repo.register_self_hosted_runner).\u003c/li\u003e\n\u003cli\u003eThe attacker removes an existing self-hosted runner from the environment (repo.remove_self_hosted_runner, org.remove_self_hosted_runner).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised runner or runner group to execute malicious code within the GitHub Actions workflow, potentially collecting sensitive data or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised runner to establish persistence within the GitHub environment, ensuring continued access.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the compromised runner to gain initial access to other systems or networks connected to the GitHub environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised self-hosted runners can lead to a range of impacts, including data exfiltration, code injection, and privilege escalation within the targeted GitHub environment. Successful attacks could result in unauthorized access to sensitive repositories, modification of code, or deployment of malicious software. The impact can vary depending on the scope of the compromised runner and the permissions associated with it. The effects could extend beyond the GitHub environment if the compromised runner has access to other systems or networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the audit log streaming feature in GitHub to capture events related to self-hosted runner modifications, as required by the logsource definition.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Self Hosted Runner Changes Detected\u0026rdquo; to your SIEM and tune for your specific environment to detect suspicious configuration changes.\u003c/li\u003e\n\u003cli\u003eRegularly review the audit logs in the GitHub UI to validate any detected changes to self-hosted runners and runner groups to ensure legitimate modifications.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for managing self-hosted runners, limiting permissions to only authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-github-runner-changes/","summary":"Detection of changes to self-hosted runner configurations in GitHub environments can indicate potential impact, discovery, collection, persistence, privilege escalation, initial access, or stealth activities.","title":"GitHub Self-Hosted Runner Configuration Changes Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-github-runner-changes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","user-account-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may create new accounts (both local and domain) to maintain access to victim systems. This rule identifies the usage of \u003ccode\u003enet.exe\u003c/code\u003e to create new accounts on Windows systems. The detection logic focuses on process execution events where \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e are executed with arguments indicative of user creation, specifically the \u0026lsquo;user\u0026rsquo; argument in conjunction with either the \u0026lsquo;/ad\u0026rsquo; or \u0026lsquo;/add\u0026rsquo; flags. While account creation is a common administrative task, suspicious executions, especially those initiated by unusual parent processes or accounts, warrant further investigation. This rule is designed for data generated by Elastic Defend but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, enhancing its applicability across various security environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a command prompt or PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e to create a new user account. The command includes the \u003ccode\u003euser\u003c/code\u003e argument along with \u003ccode\u003e/add\u003c/code\u003e or \u003ccode\u003e/ad\u003c/code\u003e flags. For example: \u003ccode\u003enet user \u0026lt;username\u0026gt; \u0026lt;password\u0026gt; /add\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may add the newly created user to privileged groups, such as \u003ccode\u003eAdministrators\u003c/code\u003e or \u003ccode\u003eDomain Admins\u003c/code\u003e, to elevate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the new account to move laterally within the network, accessing sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by configuring the new account to be a service account or adding it to local administrator groups.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and long-term persistence on compromised systems. The impact is often determined by the privileges assigned to the newly created account. If the attacker adds the account to the \u003ccode\u003eAdministrators\u003c/code\u003e group, they can effectively take full control of the affected system. In a domain environment, creating a domain account can lead to wider compromise across the entire network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary events for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e creating user accounts, especially when initiated by unusual parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor for newly created accounts being added to privileged groups.\u003c/li\u003e\n\u003cli\u003eReview the triage and analysis steps in the rule\u0026rsquo;s original documentation for guidance on investigating and responding to potential incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-user-account-creation/","summary":"This rule identifies attempts to create new users on Windows systems using net.exe, a common tactic used by attackers to increase access or establish persistence.","title":"Windows User Account Creation via Net.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-user-account-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","privilege-escalation","process-injection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a platform for building applications, commonly used in software development environments. Adversaries are exploiting MSBuild to perform process injection, a technique to execute malicious code within the address space of another process. This allows attackers to evade detection and potentially escalate privileges. The detection focuses on monitoring for thread creation in other processes by instances of MSBuild.exe. This activity is considered unusual outside of legitimate software development or build environments. The exploitation of MSBuild for process injection is a known technique (T1127.001) to proxy execution through trusted developer utilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., compromised credentials, software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes MSBuild.exe, either directly or through another process.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe is used to load and execute a malicious project file or inline code.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the MSBuild project file leverages Windows API calls to create a thread in a target process.\u003c/li\u003e\n\u003cli\u003eThe created thread injects malicious code or a payload into the target process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, potentially performing malicious activities.\u003c/li\u003e\n\u003cli\u003eThese activities could include lateral movement, data exfiltration, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection can lead to a variety of malicious outcomes, including privilege escalation, data theft, and system compromise. While the specific number of victims is not available, any Windows system running MSBuild is potentially vulnerable. The use of a trusted Microsoft utility like MSBuild makes detection more difficult, as it can blend in with legitimate developer activity. This can lead to prolonged compromise and significant damage before the malicious activity is detected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation and CreateRemoteThread logging (event IDs 1 and 8) to detect the malicious activity described in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Process Injection by the Microsoft Build Engine\u0026rdquo; to your SIEM and tune for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of MSBuild.exe in non-development environments.\u003c/li\u003e\n\u003cli\u003eMonitor the parent processes of MSBuild.exe for unusual or suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-msbuild-process-injection/","summary":"The Microsoft Build Engine (MSBuild) is being abused to perform process injection by creating threads in other processes, a technique used to evade detection and potentially escalate privileges.","title":"MSBuild Process Injection Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","fsutil","usn journal"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can use the \u003ccode\u003efsutil.exe\u003c/code\u003e utility to delete the volume USN Journal in Windows. The USN Journal tracks changes made to files and directories on a disk volume, including metadata for file creation, deletion, modification, and permission changes. Deleting this journal can hinder forensic analysis by removing evidence of file operations. This technique is used to cover tracks and evade detection after an initial compromise. This activity is often observed during the post-exploitation phase of an attack, where adversaries attempt to remove traces of their presence and actions on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003efsutil.exe\u003c/code\u003e via command line.\u003c/li\u003e\n\u003cli\u003eThe command \u003ccode\u003efsutil usn deletejournal /D [volume]\u003c/code\u003e is used to delete the USN Journal on the specified volume.\u003c/li\u003e\n\u003cli\u003eThe operating system processes the command, removing the USN Journal.\u003c/li\u003e\n\u003cli\u003eSubsequent file system activity is no longer recorded in the USN Journal.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further actions on the system, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eForensic analysis is hampered due to the missing USN Journal entries.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the USN Journal impairs forensic investigations and incident response efforts. Without the USN Journal, analysts may struggle to determine the full scope of an intrusion, including files created, modified, or deleted by the attacker. This can lead to incomplete remediation and a higher risk of reinfection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect USN Journal Deletion via Fsutil\u0026rdquo; to your SIEM to identify this specific behavior.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003efsutil.exe\u003c/code\u003e with arguments related to \u0026ldquo;deletejournal\u0026rdquo; and \u0026ldquo;usn\u0026rdquo; to detect potential attempts to delete the USN Journal.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of \u003ccode\u003efsutil.exe\u003c/code\u003e with the relevant arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-usn-journal-deletion/","summary":"Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.","title":"Windows USN Journal Deletion via Fsutil","url":"https://feed.craftedsignal.io/briefs/2024-01-usn-journal-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["low"],"_cs_tags":["persistence","registry_modification","werfault"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can abuse the Windows Error Reporting (Werfault) service to establish persistence on a compromised system. This is achieved by modifying the ReflectDebugger registry key. When Werfault is executed with the \u003ccode\u003e-pr\u003c/code\u003e parameter, it will execute the debugger specified in the ReflectDebugger registry key. This allows attackers to execute arbitrary code every time the Windows Error Reporting utility is triggered. The technique involves modifying specific registry paths associated with the ReflectDebugger. This behavior has been documented as a persistence mechanism in malware analysis reports.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify the Windows Error Reporting ReflectDebugger registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ReflectDebugger value within one of the following registry paths: \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e, \u003ccode\u003e\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e, or \u003ccode\u003eMACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the ReflectDebugger value to a malicious executable or script.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers Werfault.exe with the \u003ccode\u003e-pr\u003c/code\u003e parameter, either manually or through a system event.\u003c/li\u003e\n\u003cli\u003eWerfault.exe executes the attacker-controlled code specified in the ReflectDebugger registry value.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, as the malicious code is executed each time Werfault is triggered with the \u003ccode\u003e-pr\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence on the targeted system. This can lead to the execution of arbitrary code, potentially resulting in data theft, further malware installation, or complete system compromise. The impact is limited by the permissions of the Werfault process. While no specific victim counts are available, this technique can affect any Windows system where the attacker can modify the registry.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWerfault ReflectDebugger Registry Modification\u003c/code\u003e to detect unauthorized modifications to the ReflectDebugger registry key (logsource: \u003ccode\u003eregistry_set\u003c/code\u003e, rule title).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect the execution of Werfault with the \u003ccode\u003e-pr\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the specific ReflectDebugger paths mentioned in the overview section (\u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-werfault-reflectdebugger-persistence/","summary":"Attackers may establish persistence by modifying the ReflectDebugger registry key associated with Windows Error Reporting to execute arbitrary code when Werfault is invoked with the '-pr' parameter.","title":"Werfault ReflectDebugger Persistence via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-werfault-reflectdebugger-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MicrosoftEdge"],"_cs_severities":["low"],"_cs_tags":["command-and-control","encrypted-channel","freessl"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies Windows processes communicating with domains using free SSL certificates from providers like Let\u0026rsquo;s Encrypt, SSLforFree, ZeroSSL, and FreeSSL. Attackers can leverage these certificates to encrypt command and control (C2) communications, blending malicious traffic with legitimate encrypted web traffic. The rule focuses on detecting unusual processes, specifically those originating from standard Windows system paths that would not typically establish connections to services using free SSL certificates. This excludes known benign processes to reduce false positives and highlight potentially malicious C2 activity. This rule was published on 2020/11/04 and last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious agent on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe agent is configured to use a domain that utilizes a free SSL certificate for C2 communication.\u003c/li\u003e\n\u003cli\u003eThe malicious agent establishes a DNS connection to a domain ending in *.letsencrypt.org, *.sslforfree.com, *.zerossl.com, or *.freessl.org.\u003c/li\u003e\n\u003cli\u003eThe infected host bypasses host-based firewalls, as the traffic is encrypted.\u003c/li\u003e\n\u003cli\u003eThe agent receives commands from the C2 server over the encrypted channel.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to perform lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to undetected command and control activity within the network. Attackers could use this encrypted channel to exfiltrate sensitive data, deploy ransomware, or move laterally to other systems. Due to the use of free SSL certificates, the traffic appears legitimate and can bypass basic network security controls. While the rule severity is low, a successful C2 channel can lead to critical impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potentially malicious processes using free SSL certificates for communication, tuning the false positives for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes not typically associated with network activity originating from the defined Windows system paths.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for connections to domains using free SSL certificates from unusual or untrusted processes.\u003c/li\u003e\n\u003cli\u003eUpdate the Sigma rule with new free SSL certificate providers and adjust the excluded processes based on observed false positives in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging for better visibility into DNS requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-freesslcert-c2/","summary":"This rule identifies unusual Windows processes connecting to domains using known free SSL certificates such as Let's Encrypt, which adversaries may use to conceal command and control traffic.","title":"Unusual Windows Processes Connecting to Domains Using Free SSL Certificates","url":"https://feed.craftedsignal.io/briefs/2024-01-freesslcert-c2/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers frequently exploit built-in system utilities to bypass security measures and execute malicious code. This technique, known as \u0026ldquo;Living off the Land,\u0026rdquo; allows them to blend in with legitimate system activity, making detection more challenging. This threat brief focuses on identifying unusual network connections originating from Windows system utilities that are not typically associated with network communication. This behavior is often indicative of an attacker leveraging these tools for purposes such as downloading payloads, establishing command and control, or exfiltrating data. The utilities of concern include: Microsoft.Workflow.Compiler.exe, bginfo.exe, cdb.exe, cmstp.exe, csi.exe, dnx.exe, fsi.exe, ieexec.exe, iexpress.exe, odbcconf.exe, rcsi.exe and xwizard.exe. Defenders should monitor for network activity from these processes to identify potential malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a system utility such as \u003ccode\u003ecmstp.exe\u003c/code\u003e to execute malicious code.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecmstp.exe\u003c/code\u003e is invoked with a malicious INF file, leading to the execution of arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe executed code initiates a network connection to an external server.\u003c/li\u003e\n\u003cli\u003eThe connection is used to download a secondary payload, such as a reverse shell or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the downloaded payload to establish a persistent presence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from compromised systems to a remote server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a compromised system with unauthorized code execution, data exfiltration, and potential lateral movement within the network. Due to the low severity and the high probability of false positives, this rule should be tuned for specific environments and paired with other detection mechanisms. This may lead to data breaches, financial loss, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rules provided in this brief to detect unusual network connections from system utilities within your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for the utilities listed in the rule query to identify potential abuse of these tools.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging for enhanced visibility into process execution and network activity.\u003c/li\u003e\n\u003cli\u003eCorrelate detections from this rule with other security alerts and logs to gain a more complete understanding of the attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-process-network/","summary":"Adversaries may leverage unusual system utilities such as Microsoft.Workflow.Compiler.exe, bginfo.exe, cdb.exe, cmstp.exe, csi.exe, dnx.exe, fsi.exe, ieexec.exe, iexpress.exe, odbcconf.exe, rcsi.exe and xwizard.exe to execute code and evade detection, as identified by network connections originating from these processes.","title":"Unusual System Utilities Initiating Network Connections","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-process-network/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies first-time modifications to scheduled tasks by non-system users on Windows systems. Adversaries frequently abuse scheduled tasks to achieve persistence by modifying existing tasks or creating new ones that execute malicious code at recurring intervals. This rule focuses on detecting unauthorized changes to existing tasks by filtering out known system accounts (SYSTEM, Local Service, Network Service) and machine accounts, thereby highlighting potentially suspicious user activity. The rule leverages Windows Security Event Logs (event code 4702) to monitor task modifications. The goal is to aid in the early detection of threats where attackers are attempting to establish persistence on a compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing scheduled tasks on the system using tools like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell cmdlets.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a suitable scheduled task to modify for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the task\u0026rsquo;s settings, such as the trigger time, the executable to run, or the arguments passed to the executable. This modification is logged as event ID 4702.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is updated using \u003ccode\u003eschtasks.exe /change\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ScheduledTask\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task executes at the specified time, launching the attacker\u0026rsquo;s malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes a reverse shell to the attacker\u0026rsquo;s command and control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the reverse shell to perform further actions on the compromised system, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the modification of scheduled tasks can lead to persistent access to a compromised system. The attacker can use this access to steal sensitive data, install malware, or perform other malicious activities. While this rule is low severity, it can uncover attackers attempting to persist in a network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the required Windows Security Event Logs (event ID 4702) as described in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect unusual scheduled task updates.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine if the scheduled task modification is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eReview the references provided to understand the underlying event IDs and attacker techniques related to scheduled tasks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-scheduled-task-update/","summary":"This rule detects modifications to scheduled tasks by user accounts, excluding system activity and machine accounts, which adversaries can exploit for persistence by modifying them to execute malicious code.","title":"Unusual Scheduled Task Update","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-scheduled-task-update/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","windows","registry modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies processes that modify the Windows services registry key directly, bypassing the standard Windows APIs. This behavior can signify an adversary\u0026rsquo;s attempt to establish persistence stealthily by creating new services or altering existing ones in an unexpected manner. The detection logic focuses on changes to the \u003ccode\u003eServiceDLL\u003c/code\u003e and \u003ccode\u003eImagePath\u003c/code\u003e values within specific registry paths associated with service configurations. This rule is designed for data generated by Elastic Defend and also supports Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon Registry Events. The rule helps security analysts identify potentially malicious activity related to service manipulation, which can lead to persistent access and control over compromised systems. The rule excludes known legitimate processes and paths to minimize false positives, focusing on anomalous registry modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative access, allowing them to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker directly modifies the \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL\u003c/code\u003e or \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath\u003c/code\u003e registry keys to point to a malicious DLL or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious DLL or executable is configured to run as a service, ensuring persistence across system reboots.\u003c/li\u003e\n\u003cli\u003eThe compromised service starts automatically during system startup or manually when triggered by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious service executes arbitrary code, providing the attacker with persistent control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised service to perform further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence on the compromised system, maintaining access even after reboots or user logoffs. This can lead to long-term control over the system, enabling attackers to perform various malicious activities, including data theft, deployment of ransomware, or use of the system as a foothold for further attacks within the network. The severity is further amplified if critical services are targeted, potentially leading to system instability or denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for this detection (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect unusual service registry modifications (Sigma rules).\u003c/li\u003e\n\u003cli\u003eTune the Sigma rules by adding exceptions for legitimate software installations or updates that modify service registry keys directly (Sigma rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on processes modifying the \u003ccode\u003eServiceDLL\u003c/code\u003e or \u003ccode\u003eImagePath\u003c/code\u003e registry values (Sigma rules).\u003c/li\u003e\n\u003cli\u003eReview endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future (Response and remediation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-registry-persistence/","summary":"Detection of processes modifying the Windows services registry key directly, potentially indicating stealthy persistence attempts via abnormal service creation or modification.","title":"Unusual Persistence via Services Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-registry-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Monitoring Agent","Cohesity Windows Agent"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cohesity"],"content_html":"\u003cp\u003eThe \u003ccode\u003ewhoami\u003c/code\u003e utility is commonly used by attackers post-compromise to gather information about the current user and their privileges on a compromised system. This information helps attackers assess their level of access and plan further actions within the environment, such as privilege escalation or lateral movement. This activity is most concerning when executed by SYSTEM accounts or from unusual parent processes. This detection identifies unusual or suspicious executions of \u003ccode\u003ewhoami.exe\u003c/code\u003e, especially when associated with system privileges or specific parent processes known to be abused by attackers. The rule is designed to function across various Windows environments and considers potential false positives from legitimate administrative tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker may attempt to elevate privileges to a higher level, potentially SYSTEM.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e to determine the current user and their privileges.\u003c/li\u003e\n\u003cli\u003eInformation Gathering: The attacker analyzes the output of \u003ccode\u003ewhoami.exe\u003c/code\u003e to understand the context of the compromised system.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Conditional): Based on the information gathered, the attacker may attempt to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eFurther Exploitation: The attacker leverages the gathered information to further exploit the compromised system or network.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eObjective Completion: The attacker achieves their final objective, such as data exfiltration or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and reconnaissance can allow attackers to gain a deeper understanding of a compromised system. This may lead to further exploitation, lateral movement, and ultimately, the exfiltration of sensitive data or the disruption of critical services. While the \u003ccode\u003ewhoami\u003c/code\u003e command itself is not inherently malicious, its suspicious usage often indicates malicious activity within a compromised environment. The severity is low because the execution of whoami by itself is not enough to confirm malicious activity, and further investigation is needed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect \u003ccode\u003ewhoami.exe\u003c/code\u003e executions (reference: logs-endpoint.events.process-*, logs-system.security*, logs-windows.forwarded*, logs-windows.sysmon_operational-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Whoami Process Activity\u0026rdquo; to your SIEM and tune for your environment (reference: rule).\u003c/li\u003e\n\u003cli\u003eInvestigate parent processes of \u003ccode\u003ewhoami.exe\u003c/code\u003e for any suspicious or unusual activity (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor for other discovery commands executed around the same time as \u003ccode\u003ewhoami.exe\u003c/code\u003e (reference: Related rules).\u003c/li\u003e\n\u003cli\u003eReview and tune the false positives outlined in the rule to minimize noise (reference: false_positives).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-whoami-discovery/","summary":"This rule detects suspicious use of whoami.exe to display user, group, and privileges information for the user who is currently logged on to the local system, potentially indicating post-compromise discovery activity.","title":"Suspicious Whoami Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-whoami-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["lateral-movement","windows","sc.exe"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies the suspicious use of \u003ccode\u003esc.exe\u003c/code\u003e (Service Control Manager) to create, modify, or start services on remote Windows hosts. While system administrators may legitimately use this tool, its use for lateral movement is a known technique used by attackers. This activity is often part of a larger attack campaign, where adversaries attempt to gain access to sensitive data or critical systems. The rule aims to detect unauthorized attempts to manipulate services on remote systems, differentiating between legitimate administrative tasks and malicious activities. The rule is designed for data generated by Elastic Defend, but also supports Sysmon data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003ecreate\u003c/code\u003e command to create a new service on a remote host, specifying a malicious executable as the \u003ccode\u003ebinPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003econfig\u003c/code\u003e command to modify an existing service on a remote host, changing its \u003ccode\u003ebinPath\u003c/code\u003e to point to a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003efailure\u003c/code\u003e command to configure service failure options to execute a malicious command.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003estart\u003c/code\u003e command to start a service on a remote host, triggering the execution of the malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable executes on the remote host, providing the attacker with a foothold for further actions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly established foothold to move laterally to other systems within the network, potentially escalating privileges and accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through the created or modified service, allowing continued access even after system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to move laterally within a network, gain unauthorized access to sensitive data, and establish persistence on compromised systems. While the source material doesn\u0026rsquo;t provide specific victim counts or sectors targeted, the impact of successful lateral movement can be significant, potentially leading to data breaches, system disruption, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Service Command Lateral Movement\u0026rdquo; to your SIEM and tune for your environment based on observed false positives from administrative activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to enhance visibility into \u003ccode\u003esc.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative scripts or tools that use \u003ccode\u003esc.exe\u003c/code\u003e by their process names or paths to reduce false positives, as described in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the ability of adversaries to move laterally across the network, mitigating the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cmd-service-lateral-movement/","summary":"The rule identifies the use of sc.exe to create, modify, or start services on remote hosts, potentially indicating lateral movement by adversaries.","title":"Suspicious Use of sc.exe for Remote Service Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-cmd-service-lateral-movement/"},{"_cs_actors":["BadPatch"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["command-and-control","exfiltration","network-traffic"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies suspicious SMTP activity occurring over TCP port 26. While standard SMTP traffic typically uses port 25, port 26 is sometimes used as an alternative to avoid conflicts or restrictions. The BadPatch malware family has been known to leverage port 26 for command and control (C2) communications with compromised Windows systems. This activity is considered suspicious because legitimate uses of SMTP on port 26 are less common and can indicate malicious activity, such as covert C2 channels used by malware like BadPatch. The rule analyzes network traffic to detect SMTP communication occurring on this non-standard port, helping to identify potential infections or unauthorized network activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial infection occurs via an unspecified method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eMalware establishes a foothold on the compromised system.\u003c/li\u003e\n\u003cli\u003eMalware configures itself to use SMTP on port 26 for C2 communications.\u003c/li\u003e\n\u003cli\u003eThe infected host initiates a TCP connection to a remote server on port 26.\u003c/li\u003e\n\u003cli\u003eThe malware sends commands to the infected host over the SMTP connection on port 26.\u003c/li\u003e\n\u003cli\u003eThe infected host executes the received commands.\u003c/li\u003e\n\u003cli\u003eThe malware may exfiltrate data to the remote server over the SMTP connection on port 26.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems may be remotely controlled by attackers, leading to data theft, malware propagation, or further malicious activities. The use of non-standard ports like 26 can help attackers evade detection. If successful, an attacker can maintain persistence and control over the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SMTP Traffic on TCP Port 26\u003c/code\u003e to your SIEM and tune for your environment to detect potential command and control activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any network connections on TCP port 26 to identify potentially malicious SMTP traffic.\u003c/li\u003e\n\u003cli\u003eReview network traffic logs focusing on \u003ccode\u003enetwork_traffic.flow\u003c/code\u003e or \u003ccode\u003ezeek.smtp\u003c/code\u003e events to detect unusual patterns associated with TCP port 26.\u003c/li\u003e\n\u003cli\u003eImplement firewall rules to block unauthorized SMTP traffic on port 26.\u003c/li\u003e\n\u003cli\u003eExamine source and destination IP addresses of traffic on port 26, and correlate with threat intelligence sources to identify known malicious actors as per the references.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-smtp-port-26/","summary":"This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.","title":"Suspicious SMTP Activity on Port 26/TCP","url":"https://feed.craftedsignal.io/briefs/2024-01-03-smtp-port-26/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Word","Excel","PowerPoint","Publisher","Access"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","windows","image_load","scheduled_task"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious image load (\u003ccode\u003etaskschd.dll\u003c/code\u003e) originating from Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). The behavior suggests potential adversarial activity involving the creation of scheduled tasks through the Windows Component Object Model (COM). Attackers may exploit this technique to establish persistence, circumventing traditional monitoring focused on the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility. The use of COM for scheduled task management allows for stealthier operation and evasion of standard security controls, making it a valuable persistence mechanism for malicious actors. The rule is designed for data generated by Elastic Defend, Sysmon, and other endpoint detection platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser opens a malicious Microsoft Office document (e.g., Word, Excel).\u003c/li\u003e\n\u003cli\u003eThe document executes embedded macro code or exploits a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe macro or exploit leverages the Component Object Model (COM).\u003c/li\u003e\n\u003cli\u003eThe Office application (e.g., WINWORD.EXE) loads the \u003ccode\u003etaskschd.dll\u003c/code\u003e library, providing access to the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003eThe COM interface is used to programmatically create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload at a later time or on a recurring basis.\u003c/li\u003e\n\u003cli\u003eThe malicious payload could be a script, executable, or command-line instruction.\u003c/li\u003e\n\u003cli\u003eUpon execution, the payload achieves the attacker\u0026rsquo;s objective, such as establishing persistence, downloading additional malware, or compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging this technique can allow adversaries to maintain persistent access to a compromised system. This can lead to long-term data exfiltration, lateral movement within the network, and deployment of ransomware. The low severity score assigned to the original rule may underestimate the potential impact, as persistence is a critical component of many advanced attacks. Affected systems may require extensive remediation to remove all traces of the malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Office Application Loading Task Scheduler DLL\u0026rdquo; to your SIEM and tune for your environment to detect this specific activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) logging on Windows endpoints to provide visibility into DLL loading events, which is a prerequisite for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific scheduled tasks that are created and the payloads they execute.\u003c/li\u003e\n\u003cli\u003eMonitor for scheduled task creation events (Event ID 4698) and deletion events (Event ID 4699) in the Windows Event Logs, as referenced in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-image-load-office/","summary":"Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.","title":"Suspicious Image Load (taskschd.dll) from MS Office","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-image-load-office/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","execution","credential-access","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Subsystem for Linux (WSL) enables users to run Linux binaries natively on Windows, creating an opportunity for adversaries to evade detection by executing malicious Linux commands without triggering traditional Windows security alerts. This technique involves leveraging WSL\u0026rsquo;s bash shell to perform actions that might otherwise be flagged if executed directly within the Windows environment. This alert focuses on detecting suspicious behaviors indicative of malicious use of WSL, such as unauthorized access to sensitive files, use of network tools, or unusual command-line arguments. This can be used to facilitate lateral movement, data exfiltration, or other malicious activities. The Qualys blog post \u0026ldquo;Implications of Windows Subsystem for Linux for Adversaries \u0026amp; Defenders\u0026rdquo; (2022-03-22) describes this attack vector in detail.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker enables WSL if it is not already enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewsl.exe\u003c/code\u003e to start a Linux environment.\u003c/li\u003e\n\u003cli\u003eInside the WSL environment, the attacker uses \u003ccode\u003ebash\u003c/code\u003e to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access sensitive files such as \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e to gather credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses network tools like \u003ccode\u003ecurl\u003c/code\u003e to download or upload malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker executes scripts to establish persistence within the WSL environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised WSL environment to move laterally to other systems or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via WSL can lead to a variety of negative outcomes, including unauthorized access to sensitive information, credential compromise, and lateral movement within the network. While specific victim counts are unavailable, this technique can significantly increase the attack surface and reduce the effectiveness of traditional Windows-based security measures, affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture \u003ccode\u003ewsl.exe\u003c/code\u003e and \u003ccode\u003ebash.exe\u003c/code\u003e executions (reference: Sysmon Event ID 1 setup in rule setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WSL Activity\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for suspicious arguments used with \u003ccode\u003ewsl.exe\u003c/code\u003e, such as access to \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e (reference: Sigma rule selection criteria).\u003c/li\u003e\n\u003cli\u003eInvestigate and whitelist legitimate uses of WSL within your environment to reduce false positives (reference: False positive analysis in the rule description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-bash-exec/","summary":"Adversaries may leverage the Windows Subsystem for Linux (WSL) to execute malicious Linux commands, bypassing traditional Windows security measures, detected by monitoring process execution and command-line arguments.","title":"Suspicious Execution via Windows Subsystem for Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-bash-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Edge","Cisco Spark","Admin By Request","Cloud Signature Update Agent","Vantage","Adobe Reader and Acrobat Manager"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","runkey"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","FastTrack Software","Exclaimer Ltd","Lenovo","Adobe"],"content_html":"\u003cp\u003eAttackers often modify registry run keys to achieve persistence on a system. By adding entries to these keys, they ensure that a malicious program executes automatically whenever a user logs in. This technique allows the attacker to maintain access to the compromised system even after reboots or other interruptions. The programs added to these run keys execute under the context of the user account, inheriting its permissions. This activity is often difficult to distinguish from legitimate software installations or updates, requiring careful analysis to identify malicious intent. Elastic has observed this activity and created a detection rule to identify this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies registry run key locations for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a registry run key (e.g., \u003ccode\u003eHKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u003c/code\u003e) using tools such as \u003ccode\u003ereg.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a malicious executable path to the registry key.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or a user logs in.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is launched automatically as part of the logon process.\u003c/li\u003e\n\u003cli\u003eThe malicious executable establishes a connection to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to perform unauthorized activities such as data theft, lateral movement, and deployment of ransomware. While each instance may not cause immediate critical damage, the cumulative effect of multiple persistent infections across an environment can lead to significant data breaches and operational disruption. The Elastic rule attempts to minimize false positives with built-in filters for common legitimate applications and processes like \u003ccode\u003ectfmon.exe\u003c/code\u003e, but tuning is required.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious modifications to registry run keys and tune it to filter out legitimate application updates.\u003c/li\u003e\n\u003cli\u003eEnable registry event logging to capture modifications made to the registry, ensuring that the Sigma rule can function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, examining the parent process of the process modifying the registry for suspicious activity.\u003c/li\u003e\n\u003cli\u003eBlock known malicious executables and domains identified during triage to prevent further infection.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend to gain enhanced visibility into endpoint activity and detect malicious behavior associated with persistence mechanisms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-run-key-registry-modification/","summary":"Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.","title":"Startup or Run Key Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["psexec","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the execution of PsExec, a dual-use tool commonly employed for both legitimate administration and malicious lateral movement. PsExec, part of the Sysinternals Suite, allows for remote command execution with elevated privileges, often abused by attackers to disable security controls and move laterally within a network. This rule specifically detects the creation of \u003ccode\u003ePsExec.exe\u003c/code\u003e followed by a network connection initiated by the process, which is a strong indicator of potential malicious activity. While PsExec has legitimate uses, its prevalence in attack scenarios necessitates careful monitoring. The rule is designed to work with data from Elastic Defend, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or transfers the PsExec tool (\u003ccode\u003ePsExec.exe\u003c/code\u003e) to the compromised host, potentially using SMB shares or other file transfer methods.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PsExec with the \u003ccode\u003e-accepteula\u003c/code\u003e flag, which suppresses the license dialog, potentially indicating a first-time execution on the machine.\u003c/li\u003e\n\u003cli\u003ePsExec establishes a network connection to a remote target system, leveraging SMB/Windows Admin Shares (T1021.002) to facilitate remote command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PsExec to execute commands on the remote system, potentially with SYSTEM privileges, to install malware, gather credentials, or perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly compromised system as a pivot point to move laterally to other systems within the network, repeating the process.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges on multiple systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread compromise across the network. Attackers can leverage PsExec to gain control over critical systems, disable security controls, and exfiltrate sensitive data. Lateral movement facilitated by PsExec can enable attackers to rapidly expand their footprint within an organization, impacting numerous systems and services. While the rule\u0026rsquo;s severity is low due to the dual-use nature of PsExec, the potential impact of unchecked lateral movement is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePsExec Network Connection\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eprocess.executable\u003c/code\u003e and \u003ccode\u003eprocess.parent.executable\u003c/code\u003e filters for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging for enhanced visibility into PsExec activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to limit the accounts that can run PsExec and access sensitive systems.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003ePsExec Network Connection\u003c/code\u003e rule promptly to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from systems where PsExec is executed using the \u003ccode\u003ePsExec Outbound Network Connection\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-psexec-lateral-movement/","summary":"The rule identifies the use of PsExec.exe making a network connection, indicative of potential lateral movement by adversaries executing commands with SYSTEM privileges on Windows systems to disable defenses.","title":"PsExec Lateral Movement via Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-psexec-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta Identity Cloud"],"_cs_severities":["low"],"_cs_tags":["identity","okta","policy","attack.impact"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert identifies modifications or deletions of Okta policies, which govern authentication, authorization, and access control within the Okta Identity Cloud platform. While legitimate administrators routinely update policies, unauthorized changes can weaken security postures and grant malicious actors elevated privileges or bypass security controls. The source event indicates a potential compromise or insider threat activity within the Okta environment. Because Okta serves as a critical identity provider for many organizations, any unauthorized change to its policies can have far-reaching consequences. Detecting policy changes is crucial for maintaining the integrity and security of the Okta environment and preventing potential breaches. The targeted scope includes all Okta-managed applications and resources protected by the modified or deleted policy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to an Okta administrator account, either through compromised credentials (e.g., phishing, credential stuffing) or insider access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker authenticates to the Okta admin console using the compromised or legitimate administrator account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Enumeration:\u003c/strong\u003e The attacker identifies target Okta policies to modify or delete using the Okta admin console or API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification/Deletion:\u003c/strong\u003e The attacker modifies or deletes the targeted Okta policy through the Okta admin console or API. This generates an \u003ccode\u003epolicy.lifecycle.update\u003c/code\u003e or \u003ccode\u003epolicy.lifecycle.delete\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Potential):\u003c/strong\u003e By modifying policies, the attacker may escalate privileges, granting themselves or other unauthorized users access to sensitive applications and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Potential):\u003c/strong\u003e With escalated privileges, the attacker moves laterally within the Okta environment, accessing other applications and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Damage (Potential):\u003c/strong\u003e The attacker leverages the compromised Okta environment to exfiltrate sensitive data or cause damage to connected systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Okta policy modification or deletion can have significant consequences. Unauthorized policy changes can weaken security controls, allowing attackers to bypass authentication mechanisms, escalate privileges, and gain unauthorized access to sensitive applications and data. This could lead to data breaches, financial loss, and reputational damage. The impact depends on the scope of the affected policy and the applications it protects. The number of victims could range from a few individuals to the entire organization, depending on the scope of the compromised policy.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Okta policy modifications or deletions (\u003ccode\u003epolicy.lifecycle.update\u003c/code\u003e, \u003ccode\u003epolicy.lifecycle.delete\u003c/code\u003e event types).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected policy changes to verify their legitimacy and identify the user responsible.\u003c/li\u003e\n\u003cli\u003eReview Okta administrator account activity for any signs of compromise or unauthorized access.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Okta administrator accounts to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Okta policies to ensure they are configured securely and in accordance with security best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-policy-change/","summary":"An Okta policy was modified or deleted, potentially indicating unauthorized changes to security configurations within the Okta identity management platform by a malicious actor or insider.","title":"Okta Policy Modification or Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-policy-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access","privilege-escalation","okta"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA machine learning job, \u003ccode\u003epad_okta_spike_in_group_application_assignment_changes_ea\u003c/code\u003e, has detected an unusual spike in Okta group application assignment change events. This activity, monitored by the Privileged Access Detection integration, suggests potential malicious activity where threat actors may be assigning applications to groups to escalate access, maintain persistence, or facilitate lateral movement. This is particularly relevant for organizations using Okta for identity and access management, as attackers targeting this platform could gain significant control over user access and sensitive resources. The detection is based on identifying anomalies in Okta events and requires the Privileged Access Detection integration to be installed and configured properly, along with the Okta integration. This detection has been in production since February 2025, and updated in April 2026, requiring Elastic Stack version 9.4.0 or later to function correctly due to its reliance on Entity Analytics fields.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker compromises a user account with some level of administrative privileges within the Okta environment (T1078).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages the compromised account to modify group application assignments, granting unauthorized access to sensitive applications (T1098).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGroup Modification:\u003c/strong\u003e The attacker assigns applications to groups that the compromised user has access to modify. This allows the attacker to extend their reach within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Assignment:\u003c/strong\u003e The attacker assigns applications to a group, potentially giving all members of that group access to the applications without proper authorization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With access to new applications, the attacker uses the newly gained privileges to access other systems and resources within the network (T1078).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may create or modify additional group application assignments to ensure continued access, even if the initial compromised account is detected and remediated (T1098).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access/Exfiltration:\u003c/strong\u003e The attacker leverages the escalated privileges to access and potentially exfiltrate sensitive data from the applications they now have access to.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to widespread unauthorized access to critical applications and data within the organization. The number of affected users and the extent of data breaches depend on the sensitivity of the applications accessed and the scope of the group membership changes. Consequences range from compliance violations and financial losses to reputational damage and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Privileged Access Detection integration is installed and properly configured in your Elastic Stack environment as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003epad_okta_spike_in_group_application_assignment_changes_ea\u003c/code\u003e machine learning job, prioritizing those involving sensitive applications or high-privilege groups.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and group assignment policies within Okta, as the advisory recommends to prevent similar unauthorized changes in the future.\u003c/li\u003e\n\u003cli\u003eImplement the following Sigma rule to detect suspicious Okta group application assignment changes and tune it for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-group-app-assignment-spike/","summary":"A machine learning job identified a spike in Okta group application assignment changes, potentially indicating threat actors escalating privileges, maintaining persistence, or moving laterally by assigning applications to groups.","title":"Okta Group Application Assignment Spike Indicates Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-group-app-assignment-spike/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["low"],"_cs_tags":["lolbin","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers may leverage LOLBINs, signed binaries that are part of the operating system, to perform malicious actions while blending in with legitimate system activity. This technique allows them to evade detection by application allowlists and signature validation. This brief focuses on the abuse of expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to initiate outbound network connections. The LOLBINs are used to execute malicious code, download additional payloads, or establish command and control channels. This activity can be indicative of malware installation, data exfiltration, or other malicious post-exploitation activities. Detection is crucial to identify potentially compromised systems and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a signed LOLBIN, such as \u003ccode\u003eexpand.exe\u003c/code\u003e, \u003ccode\u003eextrac32.exe\u003c/code\u003e, \u003ccode\u003eieexec.exe\u003c/code\u003e, or \u003ccode\u003emakecab.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBIN is used to download or execute a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe executed binary establishes a network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eData exfiltration may occur over the established network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system by scheduling tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging LOLBINs can result in the installation of malware, data theft, or full system compromise. The use of signed binaries makes it more difficult to detect malicious activity, potentially allowing attackers to operate undetected for extended periods. The financial and reputational damage caused by such attacks can be significant. While the risk score is low, the potential for defense evasion justifies monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eNetwork Connection via Signed Binary\u003c/code\u003e to detect suspicious network connections initiated by LOLBINs.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for instances of \u003ccode\u003eexpand.exe\u003c/code\u003e, \u003ccode\u003eextrac32.exe\u003c/code\u003e, \u003ccode\u003eieexec.exe\u003c/code\u003e, and \u003ccode\u003emakecab.exe\u003c/code\u003e using process creation logging.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for outbound connections initiated by these processes, excluding connections to internal networks based on the provided list of private IP ranges.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of LOLBINs making external network connections, correlating with other suspicious activities on the affected host, as detailed in the \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lolbin-network-connection/","summary":"Adversaries can use Living-Off-The-Land Binaries (LOLBINs) such as expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to establish network connections, potentially bypassing security controls and facilitating malicious activities on Windows systems.","title":"LOLBIN Network Connection for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-lolbin-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Background Intelligent Transfer Service (BITS)","Adobe Reader","Docker Desktop"],"_cs_severities":["low"],"_cs_tags":["bits","ingress-transfer","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","Docker"],"content_html":"\u003cp\u003eThe Windows Background Intelligent Transfer Service (BITS) is a legitimate Windows service that allows for prioritized, asynchronous, and throttled transfer of files between a client and a server. Adversaries abuse BITS to download malicious payloads while evading typical security protections, as file transfers occur in the context of the \u003ccode\u003esvchost.exe\u003c/code\u003e process. This activity can obscure the origin of the download and bypass application whitelisting rules. This detection focuses on identifying file rename events where \u003ccode\u003esvchost.exe\u003c/code\u003e renames temporary BITS files (BIT*.tmp) to executable or archive file types, indicating a potential malicious download via BITS. This technique is commonly employed to deliver malware, exfiltrate data, or download additional tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line interface (e.g., PowerShell) to create a BITS job.\u003c/li\u003e\n\u003cli\u003eThe BITS job is configured to download a malicious executable or archive from a remote server using the \u003ccode\u003ebitsadmin.exe\u003c/code\u003e utility.\u003c/li\u003e\n\u003cli\u003eBITS downloads the file to a temporary location on the system with a \u003ccode\u003eBIT*.tmp\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esvchost.exe\u003c/code\u003e process renames the temporary file to its final name and extension (e.g., .exe, .zip).\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded file, initiating further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware communicates with a command and control (C2) server to receive instructions and exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to download and execute arbitrary code on compromised systems. The use of BITS can bypass traditional security measures, leading to malware infections, data theft, and potentially full system compromise. This technique can be used in conjunction with other attack vectors to establish a persistent foothold within the network. While the rule itself triggers at low severity, the identified activity can be an early warning of more severe attack stages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Ingress Transfer via Windows BITS\u0026rdquo; Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation and process creation logging to enhance visibility into BITS-related activities.\u003c/li\u003e\n\u003cli\u003eMonitor network connections initiated by \u003ccode\u003esvchost.exe\u003c/code\u003e to identify potentially malicious downloads.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003ebitsadmin.exe\u003c/code\u003e being executed, especially with command-line arguments indicative of suspicious downloads.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eMicrosoft-Windows-Bits-Client/Operational\u003c/code\u003e Windows logs (event ID 59) for unusual BITS events.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains or IP addresses associated with BITS-related attacks at the firewall or DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-bits-ingress-transfer/","summary":"Adversaries may leverage Windows Background Intelligent Transfer Service (BITS) to download executable and archive files to evade defenses and establish command and control.","title":"Ingress Transfer via Windows BITS","url":"https://feed.craftedsignal.io/briefs/2024-01-bits-ingress-transfer/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["initial-access","removable-media","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential initial access attempts where adversaries use removable media, such as USB drives, to introduce malware into systems, potentially those on disconnected or air-gapped networks. The attack relies on copying malware to the removable media and taking advantage of Autorun or user execution to initiate the malicious process. The rule focuses on identifying suspicious process executions from USB devices lacking valid code signatures, followed by network connection attempts, indicating a potential attempt to establish command and control or exfiltrate data. This activity is significant as it can bypass traditional network security measures and establish a foothold within an organization\u0026rsquo;s environment. The detection logic is based on Elastic Defend telemetry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker copies malware onto a USB drive from an infected system.\u003c/li\u003e\n\u003cli\u003eThe attacker physically inserts the USB drive into a target Windows system.\u003c/li\u003e\n\u003cli\u003eThe user, either unknowingly or through social engineering, executes the malicious binary from the USB drive. This could be achieved through Autorun features (if enabled) or by manually clicking on an executable file.\u003c/li\u003e\n\u003cli\u003eThe executed process, now running on the target system, lacks a valid code signature, raising suspicion.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to establish a network connection, potentially to a command and control server or to exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe network connection attempt is logged, capturing details about the destination IP address and port.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can potentially perform reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive data, system compromise, and potential lateral movement within the network. Although the risk score is low, such attacks on air-gapped systems are high impact. The number of victims is unknown; however, organizations across all sectors are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation and network connection logging to detect this type of activity (logs-endpoint.events.process-* and logs-endpoint.events.network-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution from a Removable Media with Network Connection\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDisable Autorun features on all systems to prevent automatic execution of programs from removable media.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-removable-media-execution/","summary":"Detects process execution from removable media by an unusual process with untrusted code signature followed by network connection attempts, potentially indicating malware introduced via removable media for initial access.","title":"Execution from Removable Media with Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-removable-media-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Edge","Chrome","Firefox"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","dns-over-https","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Mozilla"],"content_html":"\u003cp\u003eThe use of DNS-over-HTTPS (DoH) can obscure network activity, potentially allowing malicious actors to bypass traditional DNS monitoring and conceal data exfiltration. When DoH is enabled, visibility into DNS query types, responses, and originating IPs is lost, hindering the detection of malicious activity. This behavior is detected by monitoring registry modifications associated with enabling DoH in popular browsers such as Microsoft Edge, Google Chrome, and Mozilla Firefox. The registry keys targeted are associated with settings that force the browsers to use secure DNS resolution, potentially circumventing organizational security policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system through various means, such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if necessary):\u003c/strong\u003e The attacker may need to escalate privileges to modify registry settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker modifies the Windows registry to enable DNS-over-HTTPS (DoH) in web browsers like Edge, Chrome, or Firefox. This is achieved by modifying specific registry keys such as \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled\u003c/code\u003e, \u003ccode\u003eHKLM\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode\u003c/code\u003e, or \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation:\u003c/strong\u003e By enabling DoH, the attacker encrypts DNS queries, making it difficult for network monitoring tools to inspect DNS traffic.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes command and control (C2) communication with a remote server over encrypted DNS traffic, evading traditional network-based detection methods.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker uses the encrypted DNS channel to exfiltrate sensitive data, bypassing network security controls that rely on DNS inspection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker might establish persistence by ensuring the DoH settings remain enabled across system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to a loss of visibility into DNS traffic, hindering incident response and threat hunting efforts. Attackers can effectively hide command-and-control communications and data exfiltration activities. Although this activity by itself isn\u0026rsquo;t inherently malicious, it removes a layer of defense, increasing the risk that malicious activities will go undetected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect the enabling of DNS-over-HTTPS via registry modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary events for the provided Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and update security policies to ensure DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes, reducing the risk of misuse, and create exceptions in the detection rule for systems where this is a known requirement.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on identifying the user account, process, and associated network activity (reference the investigation guide in the source URL).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-dns-over-https-enabled/","summary":"Detection of DNS-over-HTTPS (DoH) being enabled via registry modifications on Windows systems, potentially indicating defense evasion and obfuscation of network activity by masking DNS queries.","title":"DNS-over-HTTPS Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-dns-over-https-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe","MicrosoftEdgeUpdate.exe","msrdcw.exe","MicrosoftEdgeUpdateComRegisterShell64.exe","setup.exe","PowerToys.PowerLauncher.exe"],"_cs_severities":["low"],"_cs_tags":["persistence","com-hijacking","windows","registry","defense-evasion","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Elastic","Island Technology Inc.","Google LLC","Grammarly, Inc.","Dropbox, Inc.","REFINITIV US LLC","HP Inc.","Adobe Inc.","Citrix Systems, Inc.","Veeam Software Group GmbH","Zhuhai Kingsoft Office Software Co., Ltd.","Oracle America, Inc.","Brave Software, Inc.","DeepL SE","Opera Norway AS","Slack Technologies, LLC","Spotify AB","Vivaldi Technologies AS","Microsoft"],"content_html":"\u003cp\u003eComponent Object Model (COM) hijacking is a persistence and privilege escalation technique used by adversaries to execute malicious code by hijacking references to COM objects. This involves modifying specific registry keys to redirect COM object instantiation to attacker-controlled DLLs or executables. The technique is difficult to detect due to the legitimate use of COM objects by various applications and the operating system itself. This brief focuses on identifying suspicious registry modifications indicative of COM hijacking, while excluding known legitimate processes to minimize false positives. The original Elastic detection rule was published in November 2020 and last updated in May 2026, showcasing its continued relevance. This activity matters to defenders because successful COM hijacking allows attackers to execute arbitrary code with the privileges of the user or service that instantiates the hijacked COM object.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target COM object to hijack by enumerating COM object entries in the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eInprocServer32\u003c/code\u003e or \u003ccode\u003eLocalServer32\u003c/code\u003e registry keys associated with the target COM object to point to a malicious DLL or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker may also modify the \u003ccode\u003eDelegateExecute\u003c/code\u003e registry key to control how the COM object is executed.\u003c/li\u003e\n\u003cli\u003eA legitimate application or service attempts to instantiate the original COM object.\u003c/li\u003e\n\u003cli\u003eDue to the registry modifications, the malicious DLL or executable is loaded and executed instead.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as establishing persistence, escalating privileges, or executing arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system and potentially gains elevated privileges through the hijacked COM object.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful COM hijacking enables attackers to establish persistent access to compromised systems and potentially escalate privileges. The impact can range from executing arbitrary code with user privileges to gaining system-level access, depending on the context in which the hijacked COM object is used. The Elastic detection rule aims to identify and prevent such attacks by detecting suspicious registry modifications, but the overall number of affected systems or specific sectors targeted by this technique are not specified in the original source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing to capture registry modification events and activate the Sigma rule \u003ccode\u003eSuspicious COM Hijack Registry Modification\u003c/code\u003e to detect potential COM hijacking attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes modifying COM-related registry keys and their associated executables.\u003c/li\u003e\n\u003cli\u003eImplement code signing validation and monitor for unsigned or unexpected DLLs being loaded by legitimate processes, as indicated in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of excluded processes and trusted code signers in the Sigma rule to minimize false positives.\u003c/li\u003e\n\u003cli\u003eDeploy the EQL rule provided by Elastic, adjusting the \u003ccode\u003efrom\u003c/code\u003e and \u003ccode\u003eindex\u003c/code\u003e fields to match your environment, and tune the process and signature exclusions for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for registry changes in \u003ccode\u003eHKEY_USERS\u003c/code\u003e hive related to COM objects, as these are considered less common and potentially malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-com-hijacking/","summary":"Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects through Component Object Model (COM) hijacking via registry modification on Windows systems.","title":"Component Object Model (COM) Hijacking via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-com-hijacking/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["active-directory","discovery","reconnaissance","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eADExplorer is an advanced Active Directory (AD) viewer and editor, it includes the ability to save snapshots of an AD database for offline viewing and comparisons. Adversaries may abuse this utility to perform domain reconnaissance, gather sensitive information about the AD structure, user accounts, and group memberships. The execution of ADExplorer is a potential indicator of malicious activity, especially when observed in environments where its use is not typical or when executed by unauthorized users. This activity can lead to further exploitation, such as privilege escalation and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the ADExplorer utility (ADExplorer.exe) to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes ADExplorer.exe to begin enumeration of the Active Directory environment.\u003c/li\u003e\n\u003cli\u003eADExplorer interacts with the Active Directory domain controllers, querying information about users, groups, computers, and organizational units.\u003c/li\u003e\n\u003cli\u003eThe attacker may use ADExplorer to save snapshots of the AD database for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts, critical assets, and potential vulnerabilities within the AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to plan further attacks, such as lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of ADExplorer by malicious actors can lead to the discovery of sensitive information about the Active Directory environment. This information can be leveraged to facilitate lateral movement, privilege escalation, and data exfiltration. While the initial risk score is low, the reconnaissance activity enables follow-on attacks that can have severe consequences, potentially leading to full domain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Process Name\u003c/code\u003e to detect the execution of ADExplorer based on process name.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Original File Name\u003c/code\u003e to detect the execution of ADExplorer based on the process\u0026rsquo;s original file name.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on Windows endpoints for the execution of ADExplorer.exe or processes with an original file name of \u0026ldquo;AdExp\u0026rdquo; to detect potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any execution of ADExplorer by non-administrator accounts.\u003c/li\u003e\n\u003cli\u003eReview ADExplorer use and restrict its usage to authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-adexplorer-execution/","summary":"Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.","title":"Active Directory Discovery via ADExplorer Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-adexplorer-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["endpoint","windows","defense evasion","machine learning","lolbins"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA machine learning (ML) rule has identified unusual process execution on a Windows endpoint. This detection leverages two ML models from the Elastic ProblemChild integration: a supervised model that predicts malicious processes and an unsupervised model that identifies processes anomalous to the user\u0026rsquo;s typical behavior. The rule focuses on detecting defense evasion tactics, specifically the potential use of Living-off-the-Land Binaries (LOLbins) or masquerading techniques, which can be difficult to detect with traditional signature-based methods. This detection uses data from the Elastic Endpoint or Winlogbeat and requires the Living off the Land (LotL) Attack Detection integration assets to be installed. This rule was last updated April 1, 2026 and requires Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through an existing user account.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a standard Windows process (e.g., cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker leverages LOLbins to perform malicious actions, blending in with legitimate system activity.\u003c/li\u003e\n\u003cli\u003eMasquerading: The attacker renames or moves malicious tools to mimic legitimate system files.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker attempts to escalate privileges using the compromised process.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker uses the compromised process to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eCommand and Control (Optional): The process establishes a connection to a command and control server for further instructions.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data exfiltration, system compromise, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using these techniques can lead to a full system compromise, data theft, or the installation of persistent backdoors. The use of LOLbins makes detection difficult, potentially allowing attackers to operate undetected for extended periods. The impact is amplified by the potential for lateral movement to other systems within the network. While the severity is rated \u0026ldquo;low\u0026rdquo;, successful exploitation allows attackers to move laterally and establish persistence in the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as detailed in the rule setup (Elastic Defend or Winlogbeat).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Unusual Process Spawned by a User\u0026rdquo; rule (rule_id: 40155ee4-1e6a-4e4d-a63b-e8ba16980cfb) to determine the legitimacy of the flagged process.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (anomaly_threshold: 75) based on your environment to reduce false positives, as mentioned in the rule parameters.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False positive analysis\u0026rdquo; section in the rule\u0026rsquo;s note for guidance on identifying and excluding legitimate processes.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unusual command line arguments associated with LOLBins.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-rare-process-user/","summary":"A machine learning job detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be unusual within the user's context, potentially indicating defense evasion techniques like masquerading or the use of LOLbins.","title":"Unusual Process Spawned by a User Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-process-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","lolbin","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection leverages the ProblemChild supervised machine learning model to identify unusual Windows processes that may be indicative of defense evasion tactics. The model flags processes that are both statistically unusual for a given host and predicted to be suspicious based on their characteristics. This approach aims to detect Living off the Land (LotL) attacks, where adversaries use legitimate system binaries (LOLbins) to evade traditional signature-based detection methods. The rule specifically targets processes observed on hosts that do not commonly exhibit malicious behavior. The alert requires the Elastic\u0026rsquo;s Living off the Land (LotL) Attack Detection integration assets to be installed, processing Windows process events collected by Elastic Defend or Winlogbeat. This detection rule was last updated on 2026-04-01 and requires Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a LOLbin (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e) to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe LOLbin spawns a child process to perform a specific task, such as downloading a file or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe spawned process exhibits characteristics flagged as suspicious by the ProblemChild ML model.\u003c/li\u003e\n\u003cli\u003eThe suspicious process attempts to evade detection by masquerading as a legitimate system process or by obfuscating its activity.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the process to establish persistence, escalate privileges, or move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to exfiltrate sensitive data, deploy ransomware, or disrupt business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful defense evasion attack can allow adversaries to operate undetected within a network, leading to data breaches, financial losses, and reputational damage. The use of LOLbins makes it difficult to distinguish malicious activity from legitimate system operations. This detection rule aims to reduce the dwell time of attackers by identifying suspicious processes early in the attack chain, even if they are using legitimate tools. False positives may occur due to routine administrative tasks, software updates, or custom scripts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as described in the \u0026ldquo;Setup\u0026rdquo; section of this brief.\u003c/li\u003e\n\u003cli\u003eVerify that Windows process events are being collected by Elastic Defend or Winlogbeat, as required by the detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unusual process spawns and tune the \u003ccode\u003eImage|endswith\u003c/code\u003e and \u003ccode\u003eCommandLine|contains\u003c/code\u003e conditions for your specific environment.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide provided in the rule description to triage and analyze potential false positives.\u003c/li\u003e\n\u003cli\u003eAdjust the \u003ccode\u003eanomaly_threshold\u003c/code\u003e (currently 75) in the Elastic detection rule based on your environment\u0026rsquo;s baseline to reduce noise.\u003c/li\u003e\n\u003cli\u003eMonitor for MITRE ATT\u0026amp;CK Technique T1218 (System Binary Proxy Execution) to identify potential LOLbin abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-problemchild-rare-process/","summary":"The ProblemChild machine learning model detected a rare Windows process indicative of defense evasion, potentially involving LOLbins, on a host not commonly associated with malicious activity.","title":"ProblemChild ML Model Detects Unusual Process on Windows Host","url":"https://feed.craftedsignal.io/briefs/2024-01-03-problemchild-rare-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Sysmon","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","persistence","windows","attrib.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can add the \u0026lsquo;hidden\u0026rsquo; attribute to files to hide them from the user in an attempt to evade detection. This technique involves using the \u003ccode\u003eattrib.exe\u003c/code\u003e utility to modify file attributes. By setting the hidden attribute, adversaries can conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it. This tactic is often employed post-compromise to maintain a stealthy presence within the target environment. Detection focuses on monitoring process executions that involve \u003ccode\u003eattrib.exe\u003c/code\u003e with command-line arguments indicating the modification of the hidden attribute. The rule is designed for data generated by Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system through various means such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain the necessary permissions to execute system utilities.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003eattrib.exe\u003c/code\u003e to modify the hidden attribute of a malicious file or directory. For example, \u003ccode\u003eattrib.exe +h C:\\path\\to\\malicious\\file.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConcealment: The malicious file or directory is now hidden from normal directory listings, making it harder for users and administrators to detect.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by hiding malicious scripts or executables in startup directories or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the hidden files to move laterally within the network, potentially using them as part of a larger attack campaign.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this attack includes prolonged attacker presence, increased difficulty in detecting malicious activity, and potential data exfiltration or system compromise. While the risk score is relatively low, the technique contributes to a broader attack chain and can significantly hinder incident response efforts. A successful hiding of artifacts might lead to further compromise, data breaches, or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Adding Hidden File Attribute via Attrib\u0026rdquo; to your SIEM to detect suspicious usage of \u003ccode\u003eattrib.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line monitoring in Windows environments to ensure the Sigma rule can capture relevant events.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and target files to determine if the activity is legitimate.\u003c/li\u003e\n\u003cli\u003eCorrelate detections of \u003ccode\u003eattrib.exe\u003c/code\u003e with other suspicious activities or alerts on the same host.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden attribute.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-attrib-hidden-file/","summary":"Adversaries can use attrib.exe to add the 'hidden' attribute to files to hide them from users and evade detection, which can be detected by monitoring process executions related to attrib.exe.","title":"Adding Hidden File Attribute via Attrib.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-03-attrib-hidden-file/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","machine-learning","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert leverages Elastic\u0026rsquo;s machine learning capabilities to identify anomalous network activity related to privileged operations in Windows. Specifically, it flags instances where a user performs privileged actions from a source IP address that is not typically associated with their account. The detection rule, \u003ccode\u003eUnusual Source IP for Windows Privileged Operations Detected\u003c/code\u003e, is triggered by the \u003ccode\u003epad_windows_rare_source_ip_by_user_ea\u003c/code\u003e machine learning job. The underlying machine learning model analyzes network patterns and user behavior to detect deviations from established baselines. Such deviations can indicate account compromise, insider threat activity, or attackers leveraging new network locations for privilege escalation within a Windows environment. This detection is enabled through the Privileged Access Detection integration assets within Elastic Security, supporting deployments of Elastic Defend and the Windows integration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (TA0001):\u003c/strong\u003e An attacker gains initial access to a user account through credential compromise or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (TA0004):\u003c/strong\u003e The attacker attempts to escalate privileges using the compromised account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnusual Network Location:\u003c/strong\u003e The attacker leverages a VPN, proxy, or compromised host in a different network segment to conduct privileged operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWindows Privileged Operation:\u003c/strong\u003e The attacker performs a privileged action on a Windows system, such as modifying system files, creating new accounts, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eML Anomaly Detection:\u003c/strong\u003e Elastic\u0026rsquo;s machine learning job \u003ccode\u003epad_windows_rare_source_ip_by_user_ea\u003c/code\u003e detects the unusual source IP for the privileged operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAlert Triggered:\u003c/strong\u003e The \u0026ldquo;Unusual Source IP for Windows Privileged Operations Detected\u0026rdquo; rule triggers an alert in Elastic Security.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Lateral Movement:\u003c/strong\u003e If successful, the attacker can use the elevated privileges to move laterally within the network and compromise other systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker achieves their final objective, such as data exfiltration, system disruption, or ransomware deployment, leveraging the escalated privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and privilege escalation can allow an attacker to move laterally through the network, access sensitive data, and disrupt critical systems. While the alert itself is low severity, the underlying activity can lead to significant damage if not addressed promptly. The risk score associated with the rule is 21, indicating a moderate level of risk. Affected organizations may experience data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and tune the machine learning job \u003ccode\u003epad_windows_rare_source_ip_by_user_ea\u003c/code\u003e to reduce false positives and ensure accurate detection of anomalous activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the \u0026ldquo;Unusual Source IP for Windows Privileged Operations Detected\u0026rdquo; rule, focusing on identifying the root cause of the unusual source IP and the nature of the privileged operations performed.\u003c/li\u003e\n\u003cli\u003eImplement the setup steps outlined in the rule documentation to ensure proper collection and ingestion of Windows events required for the machine learning job to function correctly.\u003c/li\u003e\n\u003cli\u003eCorrelate the alerts with other security events or logs, such as firewall logs, VPN logs, or endpoint security alerts, to gather additional context about the source IP and user activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-unusual-source-ip-privileged-ops/","summary":"A machine learning job detected a user performing privileged operations in Windows from an uncommon source IP, potentially indicating account compromise or privilege escalation.","title":"Unusual Source IP for Windows Privileged Operations Detected via ML","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-source-ip-privileged-ops/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection leverages a machine learning job within the Elastic stack to identify anomalous privilege usage on Windows systems. Specifically, it flags instances where a user is observed utilizing a privilege type that deviates significantly from their established baseline behavior. The underlying machine learning model, \u003ccode\u003epad_windows_rare_privilege_assigned_to_user_ea\u003c/code\u003e, analyzes Windows event logs collected via integrations like Elastic Defend and the Windows integration. This detection aims to identify potential privilege escalation attempts (T1068) or account manipulation (T1098), where adversaries attempt to gain unauthorized access or elevate their privileges by exploiting uncommon privilege assignments. The detection rule has been available since Elastic Stack version 9.4.0. It is crucial to investigate these anomalies as they might indicate malicious actors attempting to bypass standard security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (T1078) using valid credentials, possibly through compromised accounts or insider threats.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to perform privileged operations, such as accessing sensitive files, modifying system configurations, or installing unauthorized software.\u003c/li\u003e\n\u003cli\u003eTo bypass access controls, the attacker leverages a privilege type that is not commonly associated with the compromised user account.\u003c/li\u003e\n\u003cli\u003eWindows event logs record the privilege usage, capturing details about the user, the privilege type, and the associated operation.\u003c/li\u003e\n\u003cli\u003eThe Elastic Privileged Access Detection (PAD) integration ingests and processes these logs, feeding them into the machine learning model.\u003c/li\u003e\n\u003cli\u003eThe machine learning model identifies the anomalous privilege usage, comparing it against the user\u0026rsquo;s baseline behavior.\u003c/li\u003e\n\u003cli\u003eIf the anomaly score exceeds the configured threshold (e.g., 75), a detection alert is triggered, indicating potential malicious activity.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the alert to determine the legitimacy of the privilege usage and take appropriate remediation actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack can grant an attacker complete control over the compromised system, allowing them to steal sensitive data, install malware, or disrupt critical services. Account manipulation can lead to unauthorized access to resources and systems, potentially impacting confidentiality, integrity, and availability. While the provided rule is low severity due to the anomaly-based nature, the potential impact of successful privilege escalation is critical and warrants immediate investigation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Privileged Access Detection integration assets are installed and configured correctly within your Elastic environment as outlined in the \u0026ldquo;Setup\u0026rdquo; section of the rule description.\u003c/li\u003e\n\u003cli\u003eVerify Windows event logs are being collected by integrations such as Elastic Defend and the Windows integration to provide data for the ML job.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e within the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to reduce false positives while maintaining detection sensitivity.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide provided in the rule description to effectively triage and analyze alerts generated by the machine learning job.\u003c/li\u003e\n\u003cli\u003eImplement and enforce role-based access controls to minimize the number of users with elevated privileges, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eUtilize the MITRE ATT\u0026amp;CK framework references (T1068, T1078, T1098) to understand the potential tactics and techniques associated with privilege escalation and account manipulation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-unusual-privilege-type/","summary":"A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations on Windows systems, potentially indicating privileged access activity and requiring investigation for privilege escalation or account manipulation.","title":"Unusual Privilege Type Assigned to User via Machine Learning Anomaly","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-privilege-type/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","anomaly-detection","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief describes the detection of unusual privileged access activity in Windows environments. The detection leverages a machine learning model (\u0026ldquo;pad_windows_rare_device_by_user_ea\u0026rdquo;) designed to identify deviations from typical host usage patterns. Specifically, it flags instances where a user performs privileged operations from a device not commonly associated with that user. This activity can indicate a compromised account where an attacker is using stolen credentials or an insider threat attempting to escalate privileges from an unauthorized device. The detection is part of the Elastic Privileged Access Detection (PAD) integration and focuses on Windows events collected by Elastic Defend and Windows integrations. The PAD integration requires Fleet and properly configured agents. The anomaly_threshold is set to 75.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a valid user account, potentially through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into a Windows system using the compromised account from a device that is not typically used by that user.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute privileged operations on the system, such as installing software, modifying system settings, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eWindows logs capture the privileged operations being performed by the user account from the unusual device.\u003c/li\u003e\n\u003cli\u003eThe Elastic Privileged Access Detection (PAD) integration analyzes the logs using its machine learning model (\u0026ldquo;pad_windows_rare_device_by_user_ea\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe ML model identifies the activity as anomalous based on the rarity of the device being used by the user for privileged operations.\u003c/li\u003e\n\u003cli\u003eA detection rule triggers, flagging the unusual activity as a potential privileged access attempt.\u003c/li\u003e\n\u003cli\u003eThe security team investigates to determine whether the activity is malicious or a legitimate use case (e.g., user working from a new device).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to privilege escalation, allowing the attacker to gain control of the system and potentially the entire network. This can result in data breaches, system compromise, and disruption of services. The severity is rated as low because the detection relies on anomalies and requires further investigation to confirm malicious intent. Identifying unusual access patterns early can prevent more severe incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Privileged Access Detection integration is installed and properly configured, including the preconfigured anomaly detection jobs, as outlined in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Unusual Host Name for Windows Privileged Operations Detected\u0026rdquo; rule, focusing on the specific user and host involved, per the \u003ca href=\"#triage-and-analysis\"\u003einvestigation guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for privileged accounts to mitigate the risk of unauthorized access even if credentials are compromised, as mentioned in the \u003ca href=\"#response-and-remediation\"\u003eresponse and remediation\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and permissions to ensure that only authorized devices and users can perform privileged operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-unusual-windows-privileged-access/","summary":"A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity associated with compromised accounts or insider threats.","title":"Unusual Host Name for Windows Privileged Operations Detected via ML","url":"https://feed.craftedsignal.io/briefs/2024-01-02-unusual-windows-privileged-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["execution","defense-evasion","windows","ping","lolbas"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. This delayed execution is often observed during malware installation and is consistent with an attacker attempting to evade detection. The adversary uses \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument from within a \u003ccode\u003ecmd.exe\u003c/code\u003e shell, and the parent process is running under a user context other than SYSTEM. The subsequent process is \u003ccode\u003ecmd.exe\u003c/code\u003e invoking a known malicious utility, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, or an executable from the user\u0026rsquo;s AppData directory without a valid code signature. This behavior is often observed during malware installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an initial access vector (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe adversary executes \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecmd.exe\u003c/code\u003e spawns \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument to introduce a delay, typically to evade detection (\u003ccode\u003eping.exe -n [number] 127.0.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAfter the delay introduced by \u003ccode\u003eping.exe\u003c/code\u003e, the same \u003ccode\u003ecmd.exe\u003c/code\u003e process executes a potentially malicious utility such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, or \u003ccode\u003eregsvr32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, \u003ccode\u003ecmd.exe\u003c/code\u003e might execute a binary located within the user\u0026rsquo;s AppData directory that lacks a valid code signature.\u003c/li\u003e\n\u003cli\u003eThe malicious utility executes arbitrary commands or scripts, potentially downloading further payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system, enabling further malicious activities such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware installation, system compromise, and data theft. While the source does not quantify the number of victims or specific sectors targeted, a successful compromise can lead to significant operational disruption and data breaches. The use of delayed execution makes it more difficult for traditional security solutions to detect malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Delayed Execution via Ping\u0026rdquo; to your SIEM to detect the execution of commonly abused Windows utilities via a delayed Ping execution.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to capture the execution of \u003ccode\u003eping.exe\u003c/code\u003e and subsequent processes for analysis.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the rule.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rule, including the listed exclusions, to reduce false positives in your specific environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution from unusual locations like the AppData directory, especially for unsigned executables, as indicated in the rule\u0026rsquo;s detection logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-delayed-execution-via-ping/","summary":"Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.","title":"Windows Delayed Execution via Ping Followed by Malicious Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-delayed-execution-via-ping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["initial-access","exfiltration","windows","registry","usb"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the first-time appearance of removable devices on a Windows system by monitoring registry modifications. While not inherently malicious, the activity can indicate potential data exfiltration over removable media or initial access attempts using malware delivered via USB. The rule specifically looks for registry events with the \u0026ldquo;FriendlyName\u0026rdquo; value associated with USB storage devices (\u0026ldquo;USBSTOR\u0026rdquo;). This helps in identifying potentially unauthorized devices connected to the system. The detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user connects a removable device (e.g., USB drive) to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe operating system detects the new device and attempts to enumerate its properties.\u003c/li\u003e\n\u003cli\u003eThe system queries the registry for device-specific settings, including the \u0026ldquo;FriendlyName,\u0026rdquo; under the \u003ccode\u003eHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eIf the device is new to the system, the registry is modified to record the device\u0026rsquo;s information, including its friendly name.\u003c/li\u003e\n\u003cli\u003eThe event generates a registry modification event, which is logged by Sysmon, Elastic Defend, Microsoft Defender XDR, or SentinelOne.\u003c/li\u003e\n\u003cli\u003eAn attacker may use the USB device to deploy malware or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker copies files to the USB device.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the USB device, completing the exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and data exfiltration via USB can lead to the loss of sensitive information, intellectual property theft, or the introduction of malware into the network. Although this alert is low severity, multiple alerts across the environment may indicate an active campaign. The detection focuses on registry modifications, which are early indicators of device connection, allowing for proactive monitoring and response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to detect registry modifications related to USB devices and activate the Sigma rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to your SIEM to detect and monitor first-time seen USB devices.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, correlating with user activity and file access events.\u003c/li\u003e\n\u003cli\u003eMaintain a list of approved USB devices and create exceptions for them in the monitoring system to reduce false positives as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eMonitor for subsequent file access or transfer events involving the new device as described in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-first-time-usb/","summary":"Detection of newly seen removable devices via Windows registry modification events can indicate data exfiltration attempts or initial access via malicious USB drives.","title":"First Time Seen Removable Device Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-first-time-usb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Visual Studio","Office","Firefox","Windows","HP Support Assistant"],"_cs_severities":["low"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Hewlett-Packard","Mozilla","Google"],"content_html":"\u003cp\u003eAdversaries frequently leverage scheduled tasks in Windows to maintain persistence, elevate privileges, or facilitate lateral movement within a compromised network. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. The detection rule focuses on identifying the creation of new scheduled tasks logged in Windows event logs, filtering out tasks created by system accounts and those associated with legitimate software to minimize false positives. This detection is crucial because successful exploitation allows attackers to execute arbitrary commands or programs on a recurring basis, maintaining a foothold even after system reboots or user logoffs. Defenders need to monitor for anomalous task creation events to identify potential malicious activity. The rule references Microsoft Event ID 4698 as a key data source for detecting scheduled task creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system through phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges using exploits or by abusing misconfigurations to gain the necessary permissions to create scheduled tasks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTask Creation:\u003c/strong\u003e The attacker creates a new scheduled task using tools like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration:\u003c/strong\u003e The attacker configures the task to execute a malicious script or program at a specific time or event trigger.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The scheduled task is configured to run at regular intervals or upon system startup, ensuring persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e When the scheduled task triggers, the malicious payload executes, performing actions such as installing malware, stealing data, or establishing a command and control connection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (optional):\u003c/strong\u003e The attacker uses the compromised system and scheduled task to move laterally to other systems on the network, repeating the task creation process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via scheduled task creation can lead to persistent access within the compromised environment. The attacker can maintain a foothold even after system restarts, enabling them to perform data exfiltration, deploy ransomware, or cause other disruptive activities. While the risk score is relatively low, the potential for persistence makes this a critical area to monitor, especially in environments where lateral movement is a significant concern. The number of affected systems depends on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the necessary Windows Security Event Logs for detecting scheduled task creation (reference: setup instructions in the original rule).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious scheduled task creation events, and tune the rules by adding exclusions for known benign tasks in your environment.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the rule\u0026rsquo;s notes to triage alerts related to scheduled task creation, focusing on unfamiliar task names, unusual user accounts, and suspicious scheduled actions.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003ereferences\u003c/code\u003e URL to understand the specific details of Windows Event ID 4698, which is generated when a scheduled task is created.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-scheduled-task-creation/","summary":"Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.","title":"Windows Scheduled Task Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-02-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","fsutil"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may leverage native operating system tools like \u003ccode\u003efsutil.exe\u003c/code\u003e to perform reconnaissance activities within a compromised environment. The \u003ccode\u003efsutil fsinfo drives\u003c/code\u003e command provides information about connected drives, including removable media, mapped network drives, and backup locations. Discovery of these devices can help adversaries identify valuable data stores for exfiltration or encryption as part of a broader attack campaign. This command can be run interactively or via automated scripts, making it a versatile tool for post-exploitation activities. Defenders should monitor for unusual execution of \u003ccode\u003efsutil\u003c/code\u003e with the \u003ccode\u003efsinfo drives\u003c/code\u003e arguments, particularly when executed by non-administrative users or from unusual locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003efsutil.exe\u003c/code\u003e via command line or script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efsutil\u003c/code\u003e command uses the \u003ccode\u003efsinfo\u003c/code\u003e subcommand.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efsinfo\u003c/code\u003e subcommand uses the \u003ccode\u003edrives\u003c/code\u003e argument to list connected drives.\u003c/li\u003e\n\u003cli\u003eThe system returns a list of attached drives and their types (e.g., local, network, removable).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the output to identify potentially valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to access identified drives.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware on the identified drives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful discovery of peripheral devices can lead to the identification of backup locations, mapped network drives, and removable media containing sensitive information. This information enables attackers to expand their reach within the compromised environment and increase the potential for data theft, encryption, or destruction. The low severity reflects the fact that this activity on its own is simply reconnaissance; the actual damage comes from subsequent actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious execution of \u003ccode\u003efsutil.exe\u003c/code\u003e (see below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture \u003ccode\u003efsutil\u003c/code\u003e executions (see setup instructions in the Overview).\u003c/li\u003e\n\u003cli\u003eInvestigate any process executions of \u003ccode\u003efsutil.exe\u003c/code\u003e where the parent process is unexpected or the user context is unusual (see Triage and Analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-peripheral-device-discovery/","summary":"Adversaries may use the Windows file system utility, fsutil.exe, with the fsinfo drives command to enumerate attached peripheral devices and gain information about a compromised system.","title":"Windows Peripheral Device Discovery via fsutil","url":"https://feed.craftedsignal.io/briefs/2024-01-02-peripheral-device-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers often clear Windows event logs to cover their tracks and hinder forensic investigations. This technique is employed post-compromise to remove evidence of malicious activities, making it difficult for defenders to detect and respond to intrusions. This behavior is typically observed after an attacker has achieved their objectives and seeks to maintain persistence or further compromise the system. By clearing logs, attackers can evade detection and prolong their access to the compromised environment. This can occur through various means, but the end result is the deletion of Security or System event logs, which are critical for security monitoring. This activity aims to disrupt incident response and evade SIEM detections.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the system via phishing, exploitation, or credential theft.\u003c/li\u003e\n\u003cli\u003ePrivilege escalation to gain administrative access to the system.\u003c/li\u003e\n\u003cli\u003eDiscovery of event log locations and tools for clearing logs.\u003c/li\u003e\n\u003cli\u003eExecution of commands or tools to clear the Security or System event logs.\u003c/li\u003e\n\u003cli\u003eVerification of event log clearance to confirm the action\u0026rsquo;s success.\u003c/li\u003e\n\u003cli\u003eContinued malicious activity without leaving obvious traces in the logs.\u003c/li\u003e\n\u003cli\u003eAttempts to disable or tamper with security monitoring tools to prevent future detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful clearing of Windows event logs can severely impair an organization\u0026rsquo;s ability to detect and respond to security incidents. The absence of log data hinders forensic investigations and prevents the identification of malicious activities. This can lead to prolonged intrusions, data breaches, and significant financial losses. The low severity reflects the fact that while impactful, this behavior often occurs post-compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Windows Event Logs Cleared\u0026rdquo; to your SIEM to detect attempts to clear event logs (rule.name).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Windows Event Logs Cleared\u0026rdquo; Sigma rule, focusing on the process execution chain and user accounts involved (rule.note).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide more detailed information about processes involved in clearing event logs (logsource.category).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-clearing-windows-event-logs/","summary":"Attackers attempt to clear Windows event logs to evade detection and remove forensic evidence of their activities.","title":"Windows Event Logs Cleared","url":"https://feed.craftedsignal.io/briefs/2024-01-clearing-windows-event-logs/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data-exfiltration","machine-learning","elastic-defend"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies unusual processes writing data to external devices, a tactic often used by malicious actors to exfiltrate data while masking their activities with seemingly benign processes. The detection leverages machine learning to identify deviations from typical behavior patterns, specifically focusing on processes that have no legitimate reason to write data to external devices. The rule relies on the \u0026ldquo;ded_rare_process_writing_to_external_device_ea\u0026rdquo; machine learning job from the Elastic Data Exfiltration Detection integration, version 9.4.0 or later. The rule analyzes file events collected by integrations such as Elastic Defend and Network Packet Capture. This detection is important because it can uncover exfiltration attempts that might otherwise go unnoticed due to the use of legitimate-looking processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the system, potentially using scheduled tasks or autorun keys.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies sensitive data on the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the sensitive data to a staging directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a renamed or masqueraded legitimate process (e.g., \u003ccode\u003esvchost.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to write the staged data to an external device connected to the system.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s file events are monitored by Elastic Defend, capturing the process writing data to the external device.\u003c/li\u003e\n\u003cli\u003eThe Elastic Data Exfiltration Detection integration analyzes the file events and identifies the process as rare or unusual for writing to external devices.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Unusual Process Writing Data to an External Device\u0026rdquo; rule is triggered, alerting security analysts to the potential exfiltration attempt.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could result in the exfiltration of sensitive data, leading to financial loss, reputational damage, and legal repercussions. While the severity is \u0026ldquo;low,\u0026rdquo; a successful exfiltration can have significant consequences. The number of victims and the specific sectors targeted depend on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall and configure the Data Exfiltration Detection integration in Elastic, ensuring the machine learning job \u003ccode\u003eded_rare_process_writing_to_external_device_ea\u003c/code\u003e is enabled, as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnable file event collection using Elastic Defend to provide the necessary data for the machine learning job, as detailed in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/install-endpoint.html\"\u003eElastic Defend documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e based on your environment\u0026rsquo;s baseline behavior to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, following the \u003ca href=\"https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration\"\u003etriage and analysis guidance\u003c/a\u003e to determine the legitimacy of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-rare-process-exfiltration/","summary":"A machine learning job detects a rare process writing data to an external device, potentially indicating data exfiltration masked by benign-looking processes.","title":"Unusual Process Writing Data to an External Device via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-process-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","windows","scheduled_task","attack.persistence"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAdversaries frequently abuse scheduled tasks in Windows to maintain persistence, move laterally within a network, or escalate privileges. This involves creating or modifying scheduled tasks to execute malicious commands or scripts at specific times or intervals. This detection rule focuses on identifying the creation of scheduled tasks by non-system accounts, which is often indicative of malicious activity. The rule specifically monitors for the execution of \u003ccode\u003eschtasks.exe\u003c/code\u003e with specific arguments related to task creation. It is designed to trigger when scheduled tasks are created by non-system level users, helping to filter out legitimate administrative activities. This is crucial for defenders because scheduled tasks provide a reliable and stealthy mechanism for attackers to maintain control over compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command shell (e.g., cmd.exe, PowerShell) or script interpreter (e.g., wscript.exe) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003e/create\u003c/code\u003e parameter to create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/TN\u003c/code\u003e parameter is used to specify the name of the task, and the \u003ccode\u003e/TR\u003c/code\u003e parameter defines the program or script to execute.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/SC\u003c/code\u003e parameter sets the schedule for the task (e.g., daily, hourly, onlogon), and \u003ccode\u003e/RU\u003c/code\u003e specifies the user account under which the task will run.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the task to run with elevated privileges or under a non-system account to bypass security controls.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes the attacker\u0026rsquo;s payload at the specified time or event, achieving persistence.\u003c/li\u003e\n\u003cli\u003eThe payload may perform various malicious actions, such as installing malware, exfiltrating data, or establishing a command and control channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access to the compromised system, allowing attackers to maintain control even after reboots or user logoffs. Attackers can leverage scheduled tasks to escalate privileges, potentially gaining access to sensitive data or critical system resources. The creation of unauthorized scheduled tasks can also be used to move laterally within the network, compromising additional systems and expanding the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging with Event ID 1 to capture command-line arguments and process details (reference: Sysmon setup in rule setup).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Task Creation by Non-System Account\u0026rdquo; to your SIEM to detect suspicious schtasks.exe activity.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate scheduled task creation activities in your environment to reduce false positives (reference: False positive analysis).\u003c/li\u003e\n\u003cli\u003eMonitor process activity for processes such as cmd.exe, powershell.exe, wscript.exe creating scheduled tasks (reference: query).\u003c/li\u003e\n\u003cli\u003eInvestigate any scheduled tasks created by non-system accounts that do not have a clear business justification (reference: Investigation Guide).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-local-scheduled-task-creation/","summary":"This rule detects the creation of scheduled tasks on Windows systems by non-system accounts, a common technique used by adversaries for persistence, lateral movement, and privilege escalation.","title":"Suspicious Local Scheduled Task Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-local-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Excel","MS Access","MS Publisher","PowerPoint","Word","Outlook"],"_cs_severities":["low"],"_cs_tags":["command-prompt","network-connection","windows","execution","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious network connections initiated by the command prompt (cmd.exe) on Windows systems. The rule focuses on cmd.exe processes executed with specific arguments, such as those indicating script execution (e.g., *.bat, *.cmd), access to remote resources (e.g., URLs), or those spawned by Microsoft Office applications (Excel, Word, etc.). Attackers frequently abuse cmd.exe to download malicious payloads, execute commands, or establish command and control channels. This detection aims to identify such potentially malicious activity by correlating process creation events with subsequent network connections. The rule excludes common private and reserved IP address ranges to reduce false positives. The targeted systems are Windows endpoints where adversaries attempt to leverage cmd.exe for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document (e.g., Word, Excel) or executes a seemingly benign application.\u003c/li\u003e\n\u003cli\u003eThe document or application contains a macro or script that initiates a cmd.exe process.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process is launched with arguments indicating script execution (\u003ccode\u003e/c\u003c/code\u003e, \u003ccode\u003e/k\u003c/code\u003e) and referencing a remote resource (e.g., a URL) or a local batch file.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process attempts to download a payload from a remote server using protocols like HTTP, HTTPS, or FTP.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often with a disguised filename.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process executes the downloaded payload, initiating further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes a command and control (C2) channel with a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised system, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of Windows endpoints, potentially enabling attackers to download and execute malicious payloads, establish command and control channels, and perform further malicious activities such as data theft, lateral movement, or ransomware deployment. While this detection has a low severity, it serves as an early warning sign of potential compromise and should be investigated promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of cmd.exe executions.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from cmd.exe processes, focusing on connections to external IP addresses, using a network monitoring solution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious cmd.exe network connections.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on cmd.exe processes spawned by Office applications or those executing scripts from remote URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-cmd-network/","summary":"This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.","title":"Suspicious Command Prompt Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-cmd-network/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["low"],"_cs_tags":["active_directory","ldap","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule identifies read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information. The rule focuses on event code 4662, filtering for \u0026lsquo;Read Property\u0026rsquo; access where the number of properties accessed is greater than or equal to 2000. The rule is designed to detect potential reconnaissance activities within an Active Directory environment, providing security teams with insights into unusual access patterns that may indicate malicious intent. This detection logic helps security teams proactively identify and respond to potential threats targeting Active Directory environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the target network, possibly through compromised credentials or a phishing attack (not directly covered in the provided source).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to query Active Directory via LDAP.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a series of LDAP queries, requesting a large number of attributes for various Active Directory objects, triggering event ID 4662.\u003c/li\u003e\n\u003cli\u003eThe event logs record the excessive number of read property accesses (winlog.event_data.Properties), exceeding the threshold of 2000.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify potential targets, such as privileged accounts, sensitive data stores, or vulnerable systems.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to elevate privileges by exploiting identified vulnerabilities or misconfigurations within Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to access sensitive information or move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gather sensitive information about the Active Directory environment, identify potential vulnerabilities, elevate privileges, and move laterally within the network. This can lead to data breaches, system compromise, and significant disruption to business operations. The number of victims and sectors targeted are dependent on the scope and objectives of the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Directory Service Access to generate the necessary events (event code 4662) as mentioned in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Access to LDAP Attributes\u0026rdquo; to your SIEM and tune the threshold (length(winlog.event_data.Properties) \u0026gt;= 2000) for your environment.\u003c/li\u003e\n\u003cli\u003eReview event logs for event code 4662, focusing on the \u003ccode\u003ewinlog.event_data.Properties\u003c/code\u003e field, to understand which attributes were accessed.\u003c/li\u003e\n\u003cli\u003eInvestigate the source machine from which the LDAP queries originated by examining the \u003ccode\u003ewinlog.event_data.SubjectUserSid\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-ldap-attributes/","summary":"The rule detects suspicious access to LDAP attributes in Active Directory by identifying read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information.","title":"Suspicious Access to LDAP Attributes","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-ldap-attributes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026ldquo;Spike in Remote File Transfers\u0026rdquo; detection identifies potential lateral movement activity within a network by monitoring for unusual volumes of remote file transfers. Attackers often aim to locate and exfiltrate valuable information after gaining initial access. To evade detection, they may attempt to mimic normal egress activity through numerous small transfers. This detection leverages machine learning to establish a baseline of normal transfer activity and identify deviations that may indicate malicious behavior. The rule requires the Lateral Movement Detection integration assets to be installed. For Elastic Defend events on versions 8.18 and above, \u003ccode\u003ehost.ip\u003c/code\u003e collection must be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a host within the network through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eInternal Reconnaissance: The attacker performs internal reconnaissance to identify valuable data and potential target systems.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses stolen credentials or exploits remote services (T1210) to gain access to other systems on the network.\u003c/li\u003e\n\u003cli\u003eTool Transfer: The attacker transfers malicious tools or scripts (T1570) to the compromised systems to facilitate further actions.\u003c/li\u003e\n\u003cli\u003eData Collection: The attacker gathers sensitive data from the compromised systems.\u003c/li\u003e\n\u003cli\u003eEgress Activity: The attacker initiates numerous small remote file transfers, attempting to blend in with normal network traffic.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker exfiltrates the stolen data to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack involving anomalous file transfers can lead to data exfiltration, intellectual property theft, and reputational damage. Even though the severity is low, undetected lateral movement can escalate quickly into high severity incidents like ransomware or data breaches. This detection focuses on the early stages of lateral movement, allowing security teams to respond before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure host IP collection is enabled in Elastic Defend configurations, following the steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the setup instructions in the rule documentation.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Spike in Remote File Transfers\u0026rdquo; rule, paying close attention to the source and destination of the file transfers.\u003c/li\u003e\n\u003cli\u003eReview authentication logs for signs of compromised accounts, such as unusual login times or locations, as described in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003cli\u003eTune the machine learning job\u0026rsquo;s anomaly threshold based on your environment\u0026rsquo;s baseline activity and false positive analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-spike-remote-file-transfers/","summary":"A machine learning job detects an abnormal volume of remote file transfers, potentially indicating lateral movement by attackers attempting to blend in with normal network egress activity.","title":"Spike in Remote File Transfers via Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-spike-remote-file-transfers/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Windows Security Event Logs"],"_cs_severities":["low"],"_cs_tags":["privilege-escalation","defense-evasion","execution","windows","service-creation"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where the Service Control utility (sc.exe) is executed from within a script interpreter, such as cmd.exe, PowerShell, or wscript.exe. Attackers may leverage this behavior to create, modify, or start Windows services, often with the intent to elevate privileges or establish persistence on a compromised system. The sc.exe is a legitimate Windows command-line tool used for managing services. Abusing this tool allows attackers to perform malicious actions under the guise of legitimate system administration. This detection is designed to identify anomalous use of sc.exe that deviates from typical administrative tasks, focusing on instances where it\u0026rsquo;s spawned from scripting environments often used for malicious activities. The rule specifically excludes service creations performed by the SYSTEM user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script interpreter (e.g., cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eWithin the script interpreter, the attacker uses sc.exe to manage Windows services.\u003c/li\u003e\n\u003cli\u003eThe sc.exe command is used with arguments such as \u0026ldquo;create\u0026rdquo;, \u0026ldquo;start\u0026rdquo;, \u0026ldquo;stop\u0026rdquo;, \u0026ldquo;delete\u0026rdquo;, or \u0026ldquo;config\u0026rdquo; to manipulate service configurations.\u003c/li\u003e\n\u003cli\u003eA new service is created or an existing service is modified to execute a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious service is started, allowing the attacker to execute code with elevated privileges (SYSTEM).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by ensuring the malicious service automatically starts upon system reboot.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the created service to execute additional malicious commands or maintain remote access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to complete system compromise with the attacker gaining SYSTEM level privileges. This can allow for lateral movement within the network, data exfiltration, or installation of persistent backdoors. While the frequency of this specific technique may be low, the potential impact is high due to the elevated privileges gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eService Control Spawning via Script Interpreter\u003c/code\u003e to your SIEM to detect this specific behavior and tune it to your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for sc.exe being executed by script interpreters like PowerShell or cmd.exe (as covered in the rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of sc.exe being used with the arguments \u0026ldquo;create\u0026rdquo;, \u0026ldquo;start\u0026rdquo;, \u0026ldquo;stop\u0026rdquo;, \u0026ldquo;delete\u0026rdquo;, or \u0026ldquo;config\u0026rdquo; from scripting environments to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eEnsure proper access controls are in place to limit the ability of users to create or modify services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-service-control-script-spawn/","summary":"Detection of Service Control (sc.exe) being spawned from script interpreter processes, such as PowerShell or cmd.exe, to create, modify, or start services, which may indicate privilege escalation or persistence attempts by an attacker.","title":"Service Control Executed from Script Interpreters","url":"https://feed.craftedsignal.io/briefs/2024-01-02-service-control-script-spawn/"}],"language":"en","next_url":"/severities/low/page/2/feed.json","title":"CraftedSignal Threat Feed — Low","version":"https://jsonfeed.org/version/1.1"}