<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cisco-Nvm - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cisco-nvm/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 05 Jan 2024 15:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cisco-nvm/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Download from File Sharing Website via LOLBins</title><link>https://feed.craftedsignal.io/briefs/2024-01-suspicious-file-download/</link><pubDate>Fri, 05 Jan 2024 15:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-suspicious-file-download/</guid><description>Detection of suspicious downloads from file sharing and content delivery platforms using living-off-the-land binaries (LOLBins) to identify potential initial access, payload staging, or command and control activity.</description><content:encoded><![CDATA[<p>This threat brief addresses the abuse of living-off-the-land binaries (LOLBins) to download malicious payloads from file-sharing websites. Attackers leverage tools like <code>curl.exe</code>, <code>certutil.exe</code>, <code>msiexec.exe</code>, <code>powershell.exe</code>, and <code>wmic.exe</code> to retrieve payloads from public hosting platforms such as GitHub, Discord CDN, Transfer.sh, or Pastebin. This activity often bypasses traditional security measures, blending malicious network traffic with legitimate system processes. The detection outlined here relies on Cisco Network Visibility Module logs to provide network flow activity with process context, including command-line arguments, process path, and parent process information. Identifying this behavior is crucial for preventing initial access, detecting payload staging, and uncovering command and control activities disguised as normal operations. This approach is especially relevant given the increasing sophistication of threat actors and their ability to mask malicious behavior within trusted system processes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: The attacker gains initial access through an undisclosed method (e.g., compromised account, software vulnerability).</li>
<li>LOLBin Execution: A living-off-the-land binary (e.g., <code>powershell.exe</code>, <code>curl.exe</code>) is executed on the compromised system.</li>
<li>Download Attempt: The LOLBin is used to download a file from a public file-sharing service (e.g., <code>githubusercontent.com</code>, <code>pastebin.com</code>). The command line includes the URL of the hosted payload.</li>
<li>Payload Staging: The downloaded file is saved to a temporary location on the system (e.g., <code>C:\Windows\Temp</code>).</li>
<li>Execution: The downloaded file is executed. This could be a script (e.g., PowerShell, VBScript) or an executable.</li>
<li>Persistence: The attacker establishes persistence by creating a scheduled task, modifying registry keys, or other methods.</li>
<li>Lateral Movement: The attacker uses compromised credentials or exploits vulnerabilities to move laterally to other systems on the network.</li>
<li>Objective Achieved: The attacker achieves their final objective, which could be data exfiltration, ransomware deployment, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to initial access, payload staging, command and control, and ultimately data theft, system compromise, or ransomware deployment. The scope of impact can range from individual endpoints to entire networks, depending on the attacker's objectives and lateral movement capabilities. Given that LOLBins are commonly used system tools, detecting malicious use requires careful analysis of process execution and network connections. Failure to detect this activity can result in significant financial losses, reputational damage, and operational disruption. Recent campaigns, such as those attributed to Mint Sandstorm, highlight the risk of targeting high-profile individuals at universities and research organizations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rules to detect suspicious downloads from file-sharing websites using LOLBins, ingesting Cisco NVM flow data.</li>
<li>Monitor network connections from LOLBins (<code>curl.exe</code>, <code>certutil.exe</code>, <code>msiexec.exe</code>, <code>powershell.exe</code>, <code>wmic.exe</code>) to the listed file-sharing domains in the IOC table.</li>
<li>Review and tune the <code>cisco_nvm___suspicious_download_from_file_sharing_website_filter</code> macro to reduce false positives based on internal usage patterns.</li>
<li>Enable and monitor Cisco Network Visibility Module Flow Data to capture the required network and process context.</li>
<li>Ingest logs using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) as described in the &quot;how_to_implement&quot; section, to provide the necessary data for the Sigma rules.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>lolbin</category><category>file-sharing</category><category>cisco-nvm</category></item><item><title>Suspicious File Download via Headless Browser</title><link>https://feed.craftedsignal.io/briefs/2024-01-headless-browser-download/</link><pubDate>Wed, 03 Jan 2024 18:23:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-headless-browser-download/</guid><description>Attackers are leveraging Chromium-based browsers in headless mode with the `--dump-dom` argument to download files from file-sharing services and direct IPs, potentially indicative of reconnaissance or malware delivery.</description><content:encoded><![CDATA[<p>Attackers are increasingly utilizing Chromium-based browsers such as Chrome, Edge, and Brave in headless mode to download files surreptitiously. This technique involves using the <code>--headless</code> and <code>--dump-dom</code> arguments, allowing attackers to automate browser actions without a graphical user interface. This tactic has been observed in campaigns like DUCKTAIL, where attackers used this method to download content from the internet using direct URLs or file-sharing platforms. This behavior is especially concerning because it can bypass traditional security measures that rely on user interaction. Defenders should be aware of processes spawning headless browsers and monitor for network connections to file-sharing services or unusual IP addresses.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker compromises a system through an initial access vector (e.g., spearphishing, exploit).</li>
<li>The attacker executes a Chromium-based browser (Chrome, Edge, Brave, etc.) from the command line or through a script.</li>
<li>The browser is launched with the <code>--headless</code> and <code>--dump-dom</code> arguments to run without a GUI and potentially download content.</li>
<li>The attacker uses the browser to access a URL, either a direct IP address or a file-sharing service like Mega.nz or Mediafire.com.</li>
<li>The browser downloads a file from the specified URL or domain.</li>
<li>The downloaded file may be a malicious payload, configuration file, or stolen data.</li>
<li>The attacker executes the downloaded file or uses the data for further exploitation or lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to malware infection, data exfiltration, or further compromise of the affected system and network. The use of headless browsers makes detection more challenging, as it mimics legitimate browser activity without the visual cues of a typical user session. The number of victims and specific sectors targeted are currently unknown, but the potential for widespread impact is significant, especially if the downloaded files contain ransomware or other destructive payloads.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor process creation events for Chromium-based browsers (chrome.exe, msedge.exe, brave.exe) with the <code>--headless</code> and <code>--dump-dom</code> arguments using the provided Sigma rules.</li>
<li>Inspect network connections from processes matching the above criteria to known file-sharing domains listed in the IOCs.</li>
<li>Analyze command-line arguments of browser processes for direct IP addresses and correlate with network connection logs.</li>
<li>Review the <code>known_false_positives</code> section in the original Splunk detection for tips on tuning the detections.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>headless-browser</category><category>file-download</category><category>cisco-nvm</category></item></channel></rss>