{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1547.001/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.persistence","attack.t1547.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can manipulate Windows Registry Classes keys, an autostart extensibility point (ASEP), to achieve persistence. This involves modifying registry entries that control how the operating system handles specific file types or shell actions. By modifying these keys, adversaries can ensure their malicious code executes whenever a user interacts with a specific file type (e.g., opening an .exe) or performs a specific action within the shell. This technique, which has been observed since at least 2019, allows malicious actors to maintain a persistent foothold on compromised systems. While legitimate software also utilizes these registry keys, careful filtering and monitoring are crucial for distinguishing malicious modifications from benign software installations. Detection can be noisy due to the legitimate use of these keys, so tuning and review is critical.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through a separate vector (e.g., phishing, exploit). This stage is not covered by this detection, which focuses on post-exploitation activity.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if needed): The attacker may need elevated privileges to modify certain registry keys. This can involve exploiting vulnerabilities or leveraging existing administrative rights.\u003c/li\u003e\n\u003cli\u003eRegistry Key Modification: The attacker modifies specific keys under \u003ccode\u003e\\Software\\Classes\u003c/code\u003e in the Windows Registry. Common targets include \u003ccode\u003e\\Folder\\ShellEx\\ExtShellFolderViews\u003c/code\u003e, \u003ccode\u003e\\.exe\u003c/code\u003e, and \u003ccode\u003e\\Directory\\Shellex\\DragDropHandlers\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePayload植入：攻击者修改注册表项指向一个恶意可执行文件或脚本。这可能涉及替换默认命令或添加新的处理程序。\u003c/li\u003e\n\u003cli\u003eExecution Trigger: The malicious code is configured to execute when a user interacts with the associated file type or shell action (e.g., opening a .exe file, right-clicking a folder).\u003c/li\u003e\n\u003cli\u003eMalicious Payload Execution: When the configured trigger occurs, the malicious payload executes, giving the attacker control over the system.\u003c/li\u003e\n\u003cli\u003ePersistence Maintained: The modified registry keys ensure that the malicious payload will continue to execute whenever the trigger occurs, maintaining persistence across reboots or user logons.\u003c/li\u003e\n\u003cli\u003eObjective Achieved: The attacker leverages persistent access to achieve their objectives, such as data exfiltration, lateral movement, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems, bypassing traditional security measures. This can lead to significant data breaches, financial losses, and reputational damage. The number of potential victims is broad, as any Windows system is potentially vulnerable. The types of damage possible range from credential theft to ransomware deployment, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing and monitor \u003ccode\u003eregistry_set\u003c/code\u003e events for modifications to keys under \u003ccode\u003e\\Software\\Classes\u003c/code\u003e to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Classes Autorun Keys Modification\u0026rdquo; to your SIEM and tune the filters (filter_main_\u003cem\u003e, filter_optional_\u003c/em\u003e) for your specific environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any registry modifications detected by the Sigma rule, focusing on unusual executables or scripts being launched from these locations.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the filters in the Sigma rule to account for legitimate software changes in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"/briefs/2024-01-28-classes-autorun-keys-modification/","summary":"Adversaries modify Windows Registry Classes keys to establish persistence by executing malicious code when specific file types are opened or actions are performed, potentially leading to privilege escalation and persistent access.","title":"Windows Registry Classes Autorun Keys Modification for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-28-classes-autorun-keys-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.persistence","attack.t1547.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may target Microsoft Office applications\u0026rsquo; autostart extensibility points (ASEPs) in the Windows Registry to establish persistence. By modifying specific registry keys, malicious actors can ensure that their code is executed each time an Office application, such as Word, Excel, or Outlook, is launched. This technique is often employed to maintain a foothold on a compromised system. While legitimate add-ins also leverage these registry keys, unauthorized modifications can lead to the execution of arbitrary code, potentially resulting in data theft, system compromise, or further exploitation. Defenders should be aware that many legitimate applications modify these keys. Thorough testing and tuning is required.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system via an unrelated method.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the relevant Office application ASEP registry keys: \u003ccode\u003e\\Software\\Wow6432Node\\Microsoft\\Office\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\u003c/code\u003e and specific application keys like \u003ccode\u003e\\Word\\Addins\u003c/code\u003e, \u003ccode\u003e\\Excel\\Addins\u003c/code\u003e, etc.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key to point to a malicious executable or script. This could be achieved using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe registry modification ensures that the malicious code is executed upon the next launch of the targeted Office application.\u003c/li\u003e\n\u003cli\u003eThe user launches the Office application (e.g., Word, Excel, Outlook).\u003c/li\u003e\n\u003cli\u003eThe Office application reads the modified registry key and executes the associated malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as downloading additional payloads, establishing command and control, or stealing data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the modified registry key, ensuring continued access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence on compromised systems. This can lead to data exfiltration, deployment of ransomware, or further lateral movement within the network. The modification of these keys is often performed to maintain a persistent presence, allowing attackers to regain access to the system even after reboots or user logoffs. While the number of direct victims is unknown, the potential for widespread impact is significant, especially in organizations heavily reliant on Microsoft Office applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable registry modification logging and deploy the provided Sigma rules to your SIEM to detect suspicious changes to Office application autostart registry keys.\u003c/li\u003e\n\u003cli\u003eRegularly audit the Office application add-ins installed on systems to identify and remove any unauthorized or malicious extensions (reference: Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent the execution of unauthorized executables and scripts (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for Office applications launching unusual or suspicious child processes (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eTune and customize the provided Sigma rules based on your environment\u0026rsquo;s baseline of legitimate Office add-in activity to minimize false positives (reference: Sigma rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-office-autorun-registry-modification/","summary":"Adversaries modify Office application autostart extensibility point (ASEP) registry keys to achieve persistence and execute malicious code when Office applications are launched.","title":"Office Application Autorun Registry Key Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-office-autorun-registry-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1547.001","version":"https://jsonfeed.org/version/1.1"}