{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/binary-execution/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2025-0411"}],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["binary-execution","archive-bypass","motw-bypass"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection identifies suspicious execution patterns where Windows binaries are launched from archive-related paths within a user\u0026rsquo;s temporary directory. This technique is often employed by attackers to circumvent security mechanisms like Mark-of-the-Web (MOTW), as seen in instances such as CVE-2025-0411. The detection focuses on binaries executed by trusted processes like \u003ccode\u003eexplorer.exe\u003c/code\u003e, \u003ccode\u003ewinrar.exe\u003c/code\u003e, and \u003ccode\u003e7zFM.exe\u003c/code\u003e. The targeted process paths include the user\u0026rsquo;s Temp directory and archive markers like RAR, 7z, or ZIP. This behavior allows attackers to execute malicious code without triggering standard security alerts, making it crucial for defenders to monitor for this anomaly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious archive file (e.g., RAR, ZIP, 7z) via phishing or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe user opens the archive using \u003ccode\u003eexplorer.exe\u003c/code\u003e, \u003ccode\u003ewinrar.exe\u003c/code\u003e, or \u003ccode\u003e7zFM.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe archive contains a malicious executable file disguised as a legitimate document or media file.\u003c/li\u003e\n\u003cli\u003eThe executable is extracted to a temporary directory within the user\u0026rsquo;s \u003ccode\u003eAppData\\Local\\Temp\\\u003c/code\u003e folder.\u003c/li\u003e\n\u003cli\u003eThe user clicks on the extracted file, triggering its execution.\u003c/li\u003e\n\u003cli\u003eBecause the file was extracted from an archive and executed from the Temp directory, it might bypass Mark-of-the-Web (MOTW) protections.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, data theft, and complete system compromise. By bypassing MOTW and other security measures, attackers can gain a foothold in the network and move laterally to access sensitive data. The impact can range from individual user compromises to large-scale data breaches, causing significant financial and reputational damage. The exploitation of CVE-2025-0411 and similar vulnerabilities can affect a wide range of users who regularly interact with archive files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eBinary Executed from Archive-Related Temp Path\u003c/code\u003e to your SIEM and tune for your environment to detect the execution of binaries from archive-related paths within the user\u0026rsquo;s Temp directory.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process, executed path, and user context.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of binaries from temporary directories.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious archive files and clicking on extracted executables.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events (Sysmon EventID 1 or CrowdStrike ProcessRollup2) for unusual parent-child process relationships involving archive extraction tools and executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-binary-exec-from-archive/","summary":"Detects the execution of a binary from archive-related paths within a user's Temp directory, potentially indicating attempts to bypass Mark-of-the-Web (MOTW) or exploit vulnerabilities like CVE-2025-0411.","title":"Windows Binary Execution from Archive-Related Paths","url":"https://feed.craftedsignal.io/briefs/2024-01-03-binary-exec-from-archive/"}],"language":"en","title":"CraftedSignal Threat Feed — Binary-Execution","version":"https://jsonfeed.org/version/1.1"}