{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cisco-nvm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["lolbin","file-sharing","cisco-nvm"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the abuse of living-off-the-land binaries (LOLBins) to download malicious payloads from file-sharing websites. Attackers leverage tools like \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003emsiexec.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and \u003ccode\u003ewmic.exe\u003c/code\u003e to retrieve payloads from public hosting platforms such as GitHub, Discord CDN, Transfer.sh, or Pastebin. This activity often bypasses traditional security measures, blending malicious network traffic with legitimate system processes. The detection outlined here relies on Cisco Network Visibility Module logs to provide network flow activity with process context, including command-line arguments, process path, and parent process information. Identifying this behavior is crucial for preventing initial access, detecting payload staging, and uncovering command and control activities disguised as normal operations. This approach is especially relevant given the increasing sophistication of threat actors and their ability to mask malicious behavior within trusted system processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through an undisclosed method (e.g., compromised account, software vulnerability).\u003c/li\u003e\n\u003cli\u003eLOLBin Execution: A living-off-the-land binary (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecurl.exe\u003c/code\u003e) is executed on the compromised system.\u003c/li\u003e\n\u003cli\u003eDownload Attempt: The LOLBin is used to download a file from a public file-sharing service (e.g., \u003ccode\u003egithubusercontent.com\u003c/code\u003e, \u003ccode\u003epastebin.com\u003c/code\u003e). The command line includes the URL of the hosted payload.\u003c/li\u003e\n\u003cli\u003ePayload Staging: The downloaded file is saved to a temporary location on the system (e.g., \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eExecution: The downloaded file is executed. This could be a script (e.g., PowerShell, VBScript) or an executable.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating a scheduled task, modifying registry keys, or other methods.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses compromised credentials or exploits vulnerabilities to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eObjective Achieved: The attacker achieves their final objective, which could be data exfiltration, ransomware deployment, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, payload staging, command and control, and ultimately data theft, system compromise, or ransomware deployment. The scope of impact can range from individual endpoints to entire networks, depending on the attacker's objectives and lateral movement capabilities. Given that LOLBins are commonly used system tools, detecting malicious use requires careful analysis of process execution and network connections. Failure to detect this activity can result in significant financial losses, reputational damage, and operational disruption. Recent campaigns, such as those attributed to Mint Sandstorm, highlight the risk of targeting high-profile individuals at universities and research organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect suspicious downloads from file-sharing websites using LOLBins, ingesting Cisco NVM flow data.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from LOLBins (\u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003emsiexec.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e) to the listed file-sharing domains in the IOC table.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003ecisco_nvm___suspicious_download_from_file_sharing_website_filter\u003c/code\u003e macro to reduce false positives based on internal usage patterns.\u003c/li\u003e\n\u003cli\u003eEnable and monitor Cisco Network Visibility Module Flow Data to capture the required network and process context.\u003c/li\u003e\n\u003cli\u003eIngest logs using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) as described in the \u0026quot;how_to_implement\u0026quot; section, to provide the necessary data for the Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-05T15:30:00Z","date_published":"2024-01-05T15:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-file-download/","summary":"Detection of suspicious downloads from file sharing and content delivery platforms using living-off-the-land binaries (LOLBins) to identify potential initial access, payload staging, or command and control activity.","title":"Suspicious Download from File Sharing Website via LOLBins","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-file-download/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chrome","Edge","Brave Browser"],"_cs_severities":["medium"],"_cs_tags":["headless-browser","file-download","cisco-nvm"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft","Brave Software"],"content_html":"\u003cp\u003eAttackers are increasingly utilizing Chromium-based browsers such as Chrome, Edge, and Brave in headless mode to download files surreptitiously. This technique involves using the \u003ccode\u003e--headless\u003c/code\u003e and \u003ccode\u003e--dump-dom\u003c/code\u003e arguments, allowing attackers to automate browser actions without a graphical user interface. This tactic has been observed in campaigns like DUCKTAIL, where attackers used this method to download content from the internet using direct URLs or file-sharing platforms. This behavior is especially concerning because it can bypass traditional security measures that rely on user interaction. Defenders should be aware of processes spawning headless browsers and monitor for network connections to file-sharing services or unusual IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a system through an initial access vector (e.g., spearphishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a Chromium-based browser (Chrome, Edge, Brave, etc.) from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe browser is launched with the \u003ccode\u003e--headless\u003c/code\u003e and \u003ccode\u003e--dump-dom\u003c/code\u003e arguments to run without a GUI and potentially download content.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the browser to access a URL, either a direct IP address or a file-sharing service like Mega.nz or Mediafire.com.\u003c/li\u003e\n\u003cli\u003eThe browser downloads a file from the specified URL or domain.\u003c/li\u003e\n\u003cli\u003eThe downloaded file may be a malicious payload, configuration file, or stolen data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded file or uses the data for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware infection, data exfiltration, or further compromise of the affected system and network. The use of headless browsers makes detection more challenging, as it mimics legitimate browser activity without the visual cues of a typical user session. The number of victims and specific sectors targeted are currently unknown, but the potential for widespread impact is significant, especially if the downloaded files contain ransomware or other destructive payloads.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for Chromium-based browsers (chrome.exe, msedge.exe, brave.exe) with the \u003ccode\u003e--headless\u003c/code\u003e and \u003ccode\u003e--dump-dom\u003c/code\u003e arguments using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInspect network connections from processes matching the above criteria to known file-sharing domains listed in the IOCs.\u003c/li\u003e\n\u003cli\u003eAnalyze command-line arguments of browser processes for direct IP addresses and correlate with network connection logs.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eknown_false_positives\u003c/code\u003e section in the original Splunk detection for tips on tuning the detections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-headless-browser-download/","summary":"Attackers are leveraging Chromium-based browsers in headless mode with the `--dump-dom` argument to download files from file-sharing services and direct IPs, potentially indicative of reconnaissance or malware delivery.","title":"Suspicious File Download via Headless Browser","url":"https://feed.craftedsignal.io/briefs/2024-01-headless-browser-download/"}],"language":"en","title":"CraftedSignal Threat Feed - Cisco-Nvm","version":"https://jsonfeed.org/version/1.1"}