{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule","attack"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule correlates multiple security alerts associated with the same ATT\u0026amp;CK tactic on a single host within a defined time window (60 minutes). The purpose of this rule is to identify hosts exhibiting concentrated malicious behavior, which may indicate an active intrusion or post-compromise activity. This allows analysts to prioritize triage towards hosts with a higher likelihood of compromise. The rule specifically excludes noisy tactics such as Discovery, Persistence, and Lateral Movement, focusing instead on tactics like Credential Access, Defense Evasion, Execution, and Command and Control. It requires at least three unique detection rules to trigger, ensuring that the activity is not a single, isolated event. The rule also excludes alerts generated by Machine Learning and Threat Match rules, as well as some noisy rules such as \u0026ldquo;Agent Spoofing - Mismatched Agent ID\u0026rdquo; and \u0026ldquo;Process Termination followed by Deletion\u0026rdquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a host through methods like exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes malicious code on the compromised host, potentially using tools like PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to evade detection by disabling security controls or obfuscating their actions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to steal credentials from the compromised host, such as passwords or Kerberos tickets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes a command and control channel to communicate with the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Exploitation:\u003c/strong\u003e The attacker uses the compromised host to move laterally within the network, potentially targeting other systems or data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data from the network or causes damage to systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to significant data breaches, financial losses, and reputational damage. By identifying hosts exhibiting multiple alerts related to the same ATT\u0026amp;CK tactic, organizations can proactively respond to potential intrusions before they escalate into more serious incidents. Failure to detect and respond to these types of attacks can result in widespread compromise and significant disruption to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect hosts exhibiting multiple alerts within the same ATT\u0026amp;CK tactic. Tune the rule to your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate hosts that trigger the Sigma rule to determine the root cause of the alerts and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eReview and update your existing detection rules to ensure they are effective at detecting the latest threats and tactics.\u003c/li\u003e\n\u003cli\u003eEnable logging for process creation, network connections, and file modifications to provide more visibility into host activity and improve detection capabilities.\u003c/li\u003e\n\u003cli\u003eImplement a vulnerability management program to identify and patch vulnerabilities on your systems to prevent attackers from gaining initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-multiple-alerts-same-tactic/","summary":"This rule correlates multiple security alerts associated with the same ATT\u0026CK tactic on a single host within a defined time window, helping to identify hosts exhibiting concentrated malicious behavior indicative of an active intrusion or post-compromise activity, focusing on Credential Access, Defense Evasion, Execution, and Command and Control tactics.","title":"Multiple Alerts in Same ATT\u0026CK Tactic by Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-alerts-same-tactic/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack","version":"https://jsonfeed.org/version/1.1"}