{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.defense-evasion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["attack.defense-evasion","attack.t1562","attack.impact","attack.t1489"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers may attempt to stop or disable services on a compromised Linux system to impair security tools, disrupt operations, or facilitate further malicious activities. This can involve disabling security software, logging mechanisms, or other critical services that could hinder the attacker\u0026rsquo;s objectives. This activity often forms part of a broader attack campaign aimed at maintaining persistence, evading detection, or causing system-wide disruption. The commands \u003ccode\u003esystemctl\u003c/code\u003e, \u003ccode\u003eservice\u003c/code\u003e, and…\u003c/p\u003e\n","date_modified":"2024-01-09T14:30:00Z","date_published":"2024-01-09T14:30:00Z","id":"/briefs/2024-01-09-linux-service-disable/","summary":"Attackers may halt or disable security services on Linux systems to evade defenses, maintain persistence, or disrupt operations, detected through the use of utilities like 'systemctl', 'service', and 'chkconfig'.","title":"Linux Service Stop and Disable Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-linux-service-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.defense-evasion","attack.t1562.002"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable Windows EventLog autologger sessions by modifying specific registry keys, thus evading detection and preventing security monitoring of early boot activities and system events. The AutoLogger event tracing session records events early in the operating system boot process, allowing applications and device drivers to capture traces before user login. Disabling these sessions can blind security monitoring tools, especially those focused on early boot activity, making it harder to detect malicious activity. This technique allows attackers to operate with less scrutiny during critical phases of system startup, potentially enabling persistence or other malicious objectives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through exploitation of a vulnerability or through stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker targets registry keys under \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eStart\u003c/code\u003e value to disable specific autologger sessions like EventLog-Application or EventLog-System.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u003ccode\u003eEnabled\u003c/code\u003e value to disable specific providers of an autologger session.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the command, changing the registry value to disable the targeted autologger session or provider.\u003c/li\u003e\n\u003cli\u003eThe system no longer records events for the disabled autologger session or provider.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the Windows EventLog autologger can severely impact an organization\u0026rsquo;s ability to detect and respond to threats. Security monitoring tools that rely on these logs will be unable to record early boot activities and system events, leading to a gap in visibility. This can allow attackers to establish persistence mechanisms, escalate privileges, or perform other malicious activities without being detected. The impact could range from undetected malware infections to significant data breaches, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWindows EventLog Autologger Session Registry Modification Via CommandLine\u003c/code\u003e to your SIEM and tune for your environment to detect this behavior in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, or \u003ccode\u003epwsh.exe\u003c/code\u003e with command-line arguments that contain \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e and either \u003ccode\u003eStart\u003c/code\u003e or \u003ccode\u003eEnabled\u003c/code\u003e based on the Sigma rule\u0026rsquo;s detections.\u003c/li\u003e\n\u003cli\u003eImplement Atomic Red Team simulations to validate detections and train security staff.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of registry modifications related to Autologger sessions to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:22:00Z","date_published":"2024-01-09T14:22:00Z","id":"/briefs/2024-01-autologger-disable/","summary":"Adversaries may attempt to disable Windows EventLog autologger sessions via registry modification to evade detection and prevent security monitoring of early boot activities and system events.","title":"Windows EventLog Autologger Session Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-autologger-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["IOS"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-evasion","attack.persistence","attack.credential-access","attack.t1562.001","attack.t1556.004"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThe disabling of 802.1X authentication on a Cisco network device can bypass Network Access Control (NAC) mechanisms, potentially granting unauthorized devices access to the internal network. Attackers or malicious insiders might disable dot1x to establish persistence or facilitate lateral movement by connecting rogue devices to the network. This can be accomplished through CLI commands such as \u0026lsquo;access-session port-control force-authorized\u0026rsquo; or \u0026rsquo;no dot1x system-auth-control\u0026rsquo;, depending on the IOS version. These commands either disable 802.1X on a specific interface or globally across the device. The targeted scope is Cisco network devices utilizing 802.1X for network access control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains privileged access to a Cisco network device via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes CLI commands to disable 802.1X authentication on a specific interface or globally.\u003c/li\u003e\n\u003cli\u003eCommands used may include \u0026lsquo;access-session port-control force-authorized\u0026rsquo;, \u0026lsquo;authentication port-control force-authorized\u0026rsquo;, \u0026lsquo;dot1x port-control force-authorized\u0026rsquo;, \u0026rsquo;no access-session port-control\u0026rsquo;, \u0026rsquo;no authentication port-control\u0026rsquo;, \u0026rsquo;no dot1x port-control\u0026rsquo;, or \u0026rsquo;no dot1x system-auth-control\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe network interface transitions to a force-authorized state, bypassing the normal authentication process.\u003c/li\u003e\n\u003cli\u003eAn unauthorized device is connected to the compromised network interface.\u003c/li\u003e\n\u003cli\u003eThe unauthorized device gains network access without proper authentication or authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys malicious payloads across the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of dot1x can lead to unauthorized network access, allowing attackers to bypass security controls. This can result in the compromise of sensitive data, the spread of malware, and the disruption of network services. The number of affected devices and the scope of the compromise depend on the network architecture and the attacker\u0026rsquo;s objectives. The impact could range from a single compromised workstation to a full-scale network breach affecting thousands of devices and users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Dot1x Disabled\u003c/code\u003e to your SIEM to detect the execution of commands that disable 802.1X authentication.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco AAA logs for events containing keywords such as \u0026lsquo;access-session port-control force-authorized\u0026rsquo; and \u0026rsquo;no dot1x system-auth-control\u0026rsquo; to identify potential attempts to disable dot1x.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all administrative access to Cisco network devices to prevent unauthorized command execution.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the configuration of Cisco network devices to ensure that 802.1X is enabled and properly configured on all relevant interfaces.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-cisco-dot1x-disabled/","summary":"Detection of manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface, potentially allowing unauthorized network access and lateral movement.","title":"Cisco 802.1X (dot1x) Disabled on Network Interface","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-dot1x-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.defense-evasion","attack.t1562.002"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Event Tracing (ETW) and AutoLogger sessions to evade detection. The AutoLogger session is crucial as it records events early in the operating system boot process, providing security solutions with essential telemetry. This technique involves tampering with registry keys associated with AutoLogger sessions, specifically disabling or stopping them by setting DWORD values to 0. This is done to blind security solutions, preventing them from monitoring early boot activities and critical system events. Disabling these sessions allows adversaries to operate with less scrutiny, making it harder to detect malicious activities during the initial phases of a system compromise. This technique has been observed in attacks involving IcedID and XingLocker ransomware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an as-yet-unspecified method (e.g., exploitation, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker gains administrative privileges on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies AutoLogger sessions to disable, focusing on those relevant to security monitoring, such as \u0026lsquo;\\EventLog-\u0026rsquo; or \u0026lsquo;\\Defender\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to disable the targeted AutoLogger sessions. This involves setting the \u0026lsquo;Enabled\u0026rsquo; or \u0026lsquo;Start\u0026rsquo; DWORD values under the \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\u003c/code\u003e registry key to 0.\u003c/li\u003e\n\u003cli\u003eThe attacker may use tools like \u003ccode\u003ewevtutil.exe\u003c/code\u003e or directly interact with the registry via PowerShell or \u003ccode\u003ecmd.exe\u003c/code\u003e to make these changes.\u003c/li\u003e\n\u003cli\u003eThe security monitoring capabilities reliant on the tampered AutoLogger sessions are effectively impaired or disabled.\u003c/li\u003e\n\u003cli\u003eWith logging impaired, the attacker proceeds with the main objectives, such as lateral movement, data exfiltration, or ransomware deployment, with a reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to compromise the system, steal data, or deploy ransomware, bypassing security measures that rely on early boot and system event logging.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with AutoLogger sessions can significantly reduce the visibility of security solutions, allowing attackers to operate undetected for extended periods. This can lead to delayed incident response, increased dwell time, and greater potential for damage, including data breaches, financial losses, and reputational damage. The sectors most at risk are those heavily reliant on Windows-based systems and proactive security monitoring. The DFIR Report documented a case where adversaries moved from IcedID infection to XingLocker ransomware deployment within 24 hours, highlighting the speed and potential impact of these attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential AutoLogger Sessions Tampering\u003c/code\u003e to your SIEM to detect malicious registry modifications related to AutoLogger sessions.\u003c/li\u003e\n\u003cli\u003eInvestigate any registry modifications under the \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e path, focusing on changes to \u003ccode\u003eEnabled\u003c/code\u003e or \u003ccode\u003eStart\u003c/code\u003e values, as identified in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewevtutil.exe\u003c/code\u003e modifying registry keys related to AutoLogger, as specified in the \u003ccode\u003efilter_main_wevtutil\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003cli\u003eCorrelate registry modification events with process execution events to identify the source of the tampering, paying close attention to processes originating from the Windows Defender platform, as outlined in the \u003ccode\u003efilter_main_defender\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions with robust registry monitoring capabilities to identify and block unauthorized modifications to AutoLogger settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-autologger-tampering/","summary":"Attackers may disable AutoLogger sessions by modifying specific registry values to evade detection and prevent security monitoring of early boot activities and system events, a technique observed in intrusions involving IcedID and XingLocker ransomware.","title":"Windows AutoLogger Session Tampering Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-autologger-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["attack.execution","attack.defense-evasion","attack.t1059.006","attack.t1027.010"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers frequently leverage Python one-liners with base64 encoding to obfuscate and execute malicious code. This technique bypasses standard security measures by concealing the true nature of the payload. The abuse involves embedding base64-encoded commands within Python scripts, which are then decoded and executed at runtime. While legitimate uses of Python and base64 exist, their combination in a single command line, especially with execution flags, is a strong indicator of malicious activity. This technique has been observed in various attacks, including those originating from fake AI websites, where malicious Python code is injected to perform unauthorized actions. Defenders should monitor for such patterns to identify and neutralize potential threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains access to the system, often through social engineering or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: A base64-encoded payload is delivered to the victim machine via email, website, or other means.\u003c/li\u003e\n\u003cli\u003ePython Invocation: Python is invoked via the command line, often using \u003ccode\u003epython.exe\u003c/code\u003e or \u003ccode\u003epython3\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImport Base64 Module: The \u003ccode\u003eimport base64\u003c/code\u003e statement is used to load the necessary decoding libraries.\u003c/li\u003e\n\u003cli\u003eDecoding Execution: The base64-encoded payload is decoded using functions like \u003ccode\u003ebase64.b64decode()\u003c/code\u003e within the Python one-liner using the \u003ccode\u003e-c\u003c/code\u003e flag for command execution.\u003c/li\u003e\n\u003cli\u003eCode Execution: The decoded payload is executed in memory, performing malicious actions such as installing malware or establishing persistence.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker leverages the compromised system to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/System Damage: The attacker exfiltrates sensitive data or causes damage to the system, depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and potentially, a foothold for lateral movement within the network. The use of base64 encoding significantly hinders detection efforts, allowing attackers to operate undetected for extended periods. If successful, organizations could face data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule targeting \u003ccode\u003eprocess_creation\u003c/code\u003e events on Windows systems to detect Python commands utilizing base64 decoding functions (\u003ccode\u003eCommandLine|contains\u003c/code\u003e with \u003ccode\u003eimport base64\u003c/code\u003e, \u003ccode\u003eb64decode\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInspect command-line arguments of Python processes for suspicious base64 decoding patterns (as seen in the detection rule).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized Python scripts, mitigating potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure adequate coverage for the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-python-base64-decode/","summary":"This brief outlines a method to detect malicious use of Python one-liners employing base64 decoding to execute obfuscated payloads, a common tactic for evading traditional security measures.","title":"Detection of Python One-Liners with Base64 Decoding","url":"https://feed.craftedsignal.io/briefs/2024-01-python-base64-decode/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.execution","attack.t1047","attack.defense-evasion","attack.t1562.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage WMIC, a legitimate Windows command-line utility, to modify the startup type of services. This tactic is often used to disable security products or critical system services, hindering incident response or creating system instability. By setting services to \u0026ldquo;Manual\u0026rdquo; or \u0026ldquo;Disabled\u0026rdquo;, adversaries ensure that these services do not automatically start upon system boot, achieving persistence or impeding detection. While WMIC is a built-in tool, its use for modifying service startup types is often indicative of malicious activity, especially when performed on security-related services. This activity may be part of a larger attack chain aimed at deploying ransomware, exfiltrating data, or establishing a persistent presence on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing, exploiting a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e with specific command-line arguments to interact with Windows services.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservice\u003c/code\u003e alias is invoked within WMIC to target specific services.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eChangeStartMode\u003c/code\u003e method is used to modify the startup type of the targeted service.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the startup type to either \u003ccode\u003eManual\u003c/code\u003e or \u003ccode\u003eDisabled\u003c/code\u003e, preventing the service from automatically starting on subsequent reboots.\u003c/li\u003e\n\u003cli\u003eIf the targeted service is a security product, this action effectively disables the defense mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, such as deploying malware or exfiltrating sensitive data, with reduced resistance.\u003c/li\u003e\n\u003cli\u003eThe compromised system experiences degraded security posture and potential operational disruptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of service startup types can severely impact system security and availability. Disabling security software can lead to undetected malware infections and data breaches. Disabling critical system services can cause system instability, data loss, or complete system failure. While the exact number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting organizations of any size and in any sector. The impact ranges from minor operational disruptions to significant financial losses due to data breaches and ransomware attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003ewmic.exe\u003c/code\u003e process creations that attempt to change service startup types.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ewmic.exe\u003c/code\u003e is used to modify service startup types, especially when the targeted services are related to security or critical system functions.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions to provide enhanced visibility into process execution and system modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit service configurations to identify unauthorized changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmic-service-startup-change/","summary":"Adversaries use the Windows Management Instrumentation Command-line (WMIC) utility to modify the startup type of services, setting them to 'Manual' or 'Disabled' to impair defenses or disrupt system operations.","title":"Service Startup Type Modification via WMIC","url":"https://feed.craftedsignal.io/briefs/2024-01-wmic-service-startup-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.execution","attack.defense-evasion","csc.exe","payload-delivery"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are leveraging the legitimate Csc.exe (C# compiler) to execute malicious code, often as a part of defense evasion or payload delivery. This is achieved by spawning Csc.exe from unusual parent processes such as scripting hosts (cscript.exe, wscript.exe), Office applications (excel.exe, winword.exe), or PowerShell, especially when combined with encoded commands. Observed techniques also include launching Csc.exe from temporary or unusual directories. This activity bypasses traditional application whitelisting and can lead to the execution of arbitrary code. This activity has been associated with WarzoneRAT, DarkVNC, and the delivery of IMAPLoader malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eA script or Office macro executes, initiating a command-line process.\u003c/li\u003e\n\u003cli\u003eThis process then invokes a scripting host (e.g., cscript.exe) or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe scripting host or PowerShell executes a command that downloads or creates a C# source code file.\u003c/li\u003e\n\u003cli\u003eCsc.exe is then invoked, often from a temporary directory, to compile the downloaded/created C# code.\u003c/li\u003e\n\u003cli\u003eThe compiled C# code executes, performing malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious code may establish persistence, communicate with a C2 server, or perform data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe final objective might be to deploy ransomware, steal sensitive data, or establish a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal data, or deploy malware. Depending on the user\u0026rsquo;s permissions, the attacker could gain elevated privileges. The observed techniques have been associated with ransomware deployment, data theft, and remote access trojans (RATs).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Csc.EXE Execution Form Potentially Suspicious Parent\u0026rdquo; to detect suspicious parent processes of csc.exe.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for csc.exe with parent processes like scripting hosts or Office applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of csc.exe being executed from temporary directories or user profile locations by reviewing process_creation logs.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed process information, including parent-child relationships, for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-csc-suspicious-parent/","summary":"The Csc.exe (C# compiler) process is being launched by unusual parent processes or from suspicious locations, indicating potential malware execution or defense evasion.","title":"Suspicious CSC.exe Parent Process","url":"https://feed.craftedsignal.io/briefs/2024-01-02-csc-suspicious-parent/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.defense-Evasion","version":"https://jsonfeed.org/version/1.1"}