https://feed.craftedsignal.io/tags/attack.t1547.001/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 28 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-28-classes-autorun-keys-modification/Sun, 28 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-28-classes-autorun-keys-modification/Adversaries modify Windows Registry Classes keys to establish persistence by executing malicious code when specific file types are opened or actions are performed, potentially leading to privilege escalation and persistent access.Attackers can manipulate Windows Registry Classes keys, an autostart extensibility point (ASEP), to achieve persistence. This involves modifying registry entries that control how the operating system handles specific file types or shell actions. By modifying these keys, adversaries can ensure their malicious code executes whenever a user interacts with a specific file type (e.g., opening an .exe) or performs a specific action within the shell. This technique, which has been observed since at least 2019, allows malicious actors to maintain a persistent foothold on compromised systems. While legitimate software also utilizes these registry keys, careful filtering and monitoring are crucial for distinguishing malicious modifications from benign software installations. Detection can be noisy due to the legitimate use of these keys, so tuning and review is critical.

Attack Chain

1. Initial Access: The attacker gains initial access through a separate vector (e.g., phishing, exploit). This stage is not covered by this detection, which focuses on post-exploitation activity.
2. Privilege Escalation (if needed): The attacker may need elevated privileges to modify certain registry keys. This can involve exploiting vulnerabilities or leveraging existing administrative rights.
3. Registry Key Modification: The attacker modifies specific keys under \Software\Classes in the Windows Registry. Common targets include \Folder\ShellEx\ExtShellFolderViews, \.exe, and \Directory\Shellex\DragDropHandlers.
4. Payload植入：攻击者修改注册表项指向一个恶意可执行文件或脚本。这可能涉及替换默认命令或添加新的处理程序。
5. Execution Trigger: The malicious code is configured to execute when a user interacts with the associated file type or shell action (e.g., opening a .exe file, right-clicking a folder).
6. Malicious Payload Execution: When the configured trigger occurs, the malicious payload executes, giving the attacker control over the system.
7. Persistence Maintained: The modified registry keys ensure that the malicious payload will continue to execute whenever the trigger occurs, maintaining persistence across reboots or user logons.
8. Objective Achieved: The attacker leverages persistent access to achieve their objectives, such as data exfiltration, lateral movement, or deploying ransomware.

Impact

Successful exploitation allows attackers to maintain persistent access to compromised systems, bypassing traditional security measures. This can lead to significant data breaches, financial losses, and reputational damage. The number of potential victims is broad, as any Windows system is potentially vulnerable. The types of damage possible range from credential theft to ransomware deployment, depending on the attacker’s objectives.

Recommendation

• Enable Windows Registry auditing and monitor registry_set events for modifications to keys under \Software\Classes to identify suspicious activity.
• Deploy the Sigma rule “Classes Autorun Keys Modification” to your SIEM and tune the filters (filter_main_, filter_optional_) for your specific environment to reduce false positives.
• Investigate any registry modifications detected by the Sigma rule, focusing on unusual executables or scripts being launched from these locations.
• Regularly review and update the filters in the Sigma rule to account for legitimate software changes in your environment.

]]>mediumadvisoryattack.privilege-escalationattack.persistenceattack.t1547.001https://feed.craftedsignal.io/briefs/2024-01-03-office-autorun-registry-modification/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-office-autorun-registry-modification/Adversaries modify Office application autostart extensibility point (ASEP) registry keys to achieve persistence and execute malicious code when Office applications are launched.Attackers may target Microsoft Office applications’ autostart extensibility points (ASEPs) in the Windows Registry to establish persistence. By modifying specific registry keys, malicious actors can ensure that their code is executed each time an Office application, such as Word, Excel, or Outlook, is launched. This technique is often employed to maintain a foothold on a compromised system. While legitimate add-ins also leverage these registry keys, unauthorized modifications can lead to the execution of arbitrary code, potentially resulting in data theft, system compromise, or further exploitation. Defenders should be aware that many legitimate applications modify these keys. Thorough testing and tuning is required.

Attack Chain

1. An attacker gains initial access to the system via an unrelated method.
2. The attacker identifies the relevant Office application ASEP registry keys: \Software\Wow6432Node\Microsoft\Office, \Software\Microsoft\Office and specific application keys like \Word\Addins, \Excel\Addins, etc.
3. The attacker modifies the registry key to point to a malicious executable or script. This could be achieved using tools like reg.exe or PowerShell.
4. The registry modification ensures that the malicious code is executed upon the next launch of the targeted Office application.
5. The user launches the Office application (e.g., Word, Excel, Outlook).
6. The Office application reads the modified registry key and executes the associated malicious code.
7. The malicious code performs its intended actions, such as downloading additional payloads, establishing command and control, or stealing data.
8. The attacker maintains persistence on the system through the modified registry key, ensuring continued access and control.

Impact

Successful exploitation allows attackers to achieve persistence on compromised systems. This can lead to data exfiltration, deployment of ransomware, or further lateral movement within the network. The modification of these keys is often performed to maintain a persistent presence, allowing attackers to regain access to the system even after reboots or user logoffs. While the number of direct victims is unknown, the potential for widespread impact is significant, especially in organizations heavily reliant on Microsoft Office applications.

Recommendation

• Enable registry modification logging and deploy the provided Sigma rules to your SIEM to detect suspicious changes to Office application autostart registry keys.
• Regularly audit the Office application add-ins installed on systems to identify and remove any unauthorized or malicious extensions (reference: Sigma rules).
• Implement application whitelisting to prevent the execution of unauthorized executables and scripts (reference: Attack Chain).
• Monitor process execution events for Office applications launching unusual or suspicious child processes (reference: Attack Chain).
• Tune and customize the provided Sigma rules based on your environment’s baseline of legitimate Office add-in activity to minimize false positives (reference: Sigma rules).

]]>mediumadvisoryattack.privilege-escalationattack.persistenceattack.t1547.001