{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1562.001/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["IOS"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-evasion","attack.persistence","attack.credential-access","attack.t1562.001","attack.t1556.004"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThe disabling of 802.1X authentication on a Cisco network device can bypass Network Access Control (NAC) mechanisms, potentially granting unauthorized devices access to the internal network. Attackers or malicious insiders might disable dot1x to establish persistence or facilitate lateral movement by connecting rogue devices to the network. This can be accomplished through CLI commands such as \u0026lsquo;access-session port-control force-authorized\u0026rsquo; or \u0026rsquo;no dot1x system-auth-control\u0026rsquo;, depending on the IOS version. These commands either disable 802.1X on a specific interface or globally across the device. The targeted scope is Cisco network devices utilizing 802.1X for network access control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains privileged access to a Cisco network device via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes CLI commands to disable 802.1X authentication on a specific interface or globally.\u003c/li\u003e\n\u003cli\u003eCommands used may include \u0026lsquo;access-session port-control force-authorized\u0026rsquo;, \u0026lsquo;authentication port-control force-authorized\u0026rsquo;, \u0026lsquo;dot1x port-control force-authorized\u0026rsquo;, \u0026rsquo;no access-session port-control\u0026rsquo;, \u0026rsquo;no authentication port-control\u0026rsquo;, \u0026rsquo;no dot1x port-control\u0026rsquo;, or \u0026rsquo;no dot1x system-auth-control\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe network interface transitions to a force-authorized state, bypassing the normal authentication process.\u003c/li\u003e\n\u003cli\u003eAn unauthorized device is connected to the compromised network interface.\u003c/li\u003e\n\u003cli\u003eThe unauthorized device gains network access without proper authentication or authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys malicious payloads across the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of dot1x can lead to unauthorized network access, allowing attackers to bypass security controls. This can result in the compromise of sensitive data, the spread of malware, and the disruption of network services. The number of affected devices and the scope of the compromise depend on the network architecture and the attacker\u0026rsquo;s objectives. The impact could range from a single compromised workstation to a full-scale network breach affecting thousands of devices and users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Dot1x Disabled\u003c/code\u003e to your SIEM to detect the execution of commands that disable 802.1X authentication.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco AAA logs for events containing keywords such as \u0026lsquo;access-session port-control force-authorized\u0026rsquo; and \u0026rsquo;no dot1x system-auth-control\u0026rsquo; to identify potential attempts to disable dot1x.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all administrative access to Cisco network devices to prevent unauthorized command execution.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the configuration of Cisco network devices to ensure that 802.1X is enabled and properly configured on all relevant interfaces.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-cisco-dot1x-disabled/","summary":"Detection of manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface, potentially allowing unauthorized network access and lateral movement.","title":"Cisco 802.1X (dot1x) Disabled on Network Interface","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-dot1x-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.execution","attack.t1047","attack.defense-evasion","attack.t1562.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage WMIC, a legitimate Windows command-line utility, to modify the startup type of services. This tactic is often used to disable security products or critical system services, hindering incident response or creating system instability. By setting services to \u0026ldquo;Manual\u0026rdquo; or \u0026ldquo;Disabled\u0026rdquo;, adversaries ensure that these services do not automatically start upon system boot, achieving persistence or impeding detection. While WMIC is a built-in tool, its use for modifying service startup types is often indicative of malicious activity, especially when performed on security-related services. This activity may be part of a larger attack chain aimed at deploying ransomware, exfiltrating data, or establishing a persistent presence on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing, exploiting a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e with specific command-line arguments to interact with Windows services.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservice\u003c/code\u003e alias is invoked within WMIC to target specific services.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eChangeStartMode\u003c/code\u003e method is used to modify the startup type of the targeted service.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the startup type to either \u003ccode\u003eManual\u003c/code\u003e or \u003ccode\u003eDisabled\u003c/code\u003e, preventing the service from automatically starting on subsequent reboots.\u003c/li\u003e\n\u003cli\u003eIf the targeted service is a security product, this action effectively disables the defense mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, such as deploying malware or exfiltrating sensitive data, with reduced resistance.\u003c/li\u003e\n\u003cli\u003eThe compromised system experiences degraded security posture and potential operational disruptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of service startup types can severely impact system security and availability. Disabling security software can lead to undetected malware infections and data breaches. Disabling critical system services can cause system instability, data loss, or complete system failure. While the exact number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting organizations of any size and in any sector. The impact ranges from minor operational disruptions to significant financial losses due to data breaches and ransomware attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003ewmic.exe\u003c/code\u003e process creations that attempt to change service startup types.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ewmic.exe\u003c/code\u003e is used to modify service startup types, especially when the targeted services are related to security or critical system functions.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions to provide enhanced visibility into process execution and system modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit service configurations to identify unauthorized changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmic-service-startup-change/","summary":"Adversaries use the Windows Management Instrumentation Command-line (WMIC) utility to modify the startup type of services, setting them to 'Manual' or 'Disabled' to impair defenses or disrupt system operations.","title":"Service Startup Type Modification via WMIC","url":"https://feed.craftedsignal.io/briefs/2024-01-wmic-service-startup-change/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1562.001","version":"https://jsonfeed.org/version/1.1"}