Command and Control — CraftedSignal Threat Feed

Windows Port Forwarding Rule Addition via Registry Modification

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

Attackers may configure port forwarding rules to bypass network segmentation restrictions, effectively using the compromised host as a jump box to access previously unreachable systems. This involves modifying the registry to redirect incoming TCP connections from a local port to another port or a remote computer. The technique is typically employed post-compromise to facilitate lateral movement and maintain unauthorized access within the network. This activity is detected by monitoring changes to the HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\ registry subkeys.

Attack Chain

The attacker gains initial access to the target system through an exploit or compromised credentials.
The attacker executes a command-line interface (e.g., cmd.exe or powershell.exe) with administrative privileges.
The attacker uses reg.exe or PowerShell’s Set-ItemProperty cmdlet to modify the HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\ registry key.
The attacker configures a new port forwarding rule by creating a new subkey under v4tov4\ with specific settings for the local port, remote address, and remote port.
The attacker sets the ListenAddress, ListenPort, ConnectAddress, and ConnectPort values within the new subkey.
The attacker verifies the successful creation and activation of the port forwarding rule using netsh interface portproxy show v4tov4.
The attacker leverages the newly created port forwarding rule to tunnel traffic through the compromised host, bypassing network segmentation.
The attacker uses the proxied connection to access internal resources and conduct further attacks, such as lateral movement or data exfiltration.

Impact

Successful exploitation enables attackers to bypass network segmentation restrictions, leading to unauthorized access to internal systems and data. This can facilitate lateral movement, data exfiltration, and further compromise of the network. The severity of the impact depends on the sensitivity of the accessible resources and the extent of the attacker’s lateral movement.

Recommendation

Enable Sysmon registry event logging to capture modifications to the HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\ registry subkeys, enabling detection of malicious port forwarding rule additions.
Deploy the Sigma rule “Port Forwarding Rule Addition via Registry Modification” to your SIEM to detect suspicious registry modifications related to port forwarding.
Investigate any alerts generated by the Sigma rule, focusing on identifying the process execution chain and the user account that performed the action.
Regularly review and audit existing port forwarding rules to identify and remove any unauthorized or suspicious configurations.

Detection of VScode Remote Tunneling for Command and Control

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

This detection focuses on identifying the misuse of Visual Studio Code’s (VScode) remote tunnel feature to establish unauthorized access or control over systems. While the VScode remote tunnel feature is designed to allow developers to connect to remote environments seamlessly, attackers can abuse this functionality for malicious purposes. The rule specifically looks for the execution of the VScode portable binary with the “tunnel” command-line option, which is indicative of an attempt to establish a remote tunnel session to either GitHub or a remote VScode instance. Successful exploitation can lead to command and control capabilities, allowing attackers to remotely manage and compromise the affected system. The rule aims to detect this suspicious behavior by monitoring process execution and command-line arguments.

Attack Chain

The attacker gains initial access to the target system through unspecified means.
The attacker downloads a portable version of Visual Studio Code (VScode) onto the compromised system.
The attacker executes the VScode binary with the tunnel command-line argument to initiate a remote tunnel session.
The attacker specifies additional arguments such as --accept-server-license-terms to bypass license agreement prompts.
The VScode tunnel attempts to establish a connection to a remote server, potentially a GitHub repository or a remote VScode instance controlled by the attacker.
If successful, the tunnel creates a persistent connection, allowing the attacker to execute commands and transfer files.
The attacker uses the established tunnel to remotely access the compromised system, enabling them to perform malicious activities such as data exfiltration or lateral movement.
The attacker maintains persistent access through the established tunnel, allowing for long-term command and control of the compromised system.

Impact

Successful exploitation allows attackers to establish a persistent command and control channel, enabling them to remotely manage the compromised system. This can lead to data theft, deployment of ransomware, or further lateral movement within the network. While the number of potential victims and specific sectors targeted are not explicitly stated, the widespread use of VScode makes a wide range of organizations vulnerable.

Recommendation

Deploy the “Attempt to Establish VScode Remote Tunnel” rule to detect suspicious VScode tunnel activity in your environment.
Enable Sysmon process-creation logging to capture the necessary process execution data.
Investigate any alerts triggered by the rule, focusing on the command-line arguments and process behaviors to confirm malicious intent.
Monitor network connections originating from VScode processes for unusual or unauthorized connections to external servers.
Review and whitelist legitimate uses of VScode’s tunnel feature by authorized developers to reduce false positives.

Potential File Download via a Headless Browser

hello@craftedsignal.io — Mon, 06 Apr 2026 15:34:19 +0000

This detection identifies potential file downloads via headless browsers on Windows systems. Attackers abuse headless browser capabilities (chrome.exe, msedge.exe, brave.exe, browser.exe, dragon.exe, vivaldi.exe) to download files, proxy traffic, and bypass application control policies. The technique leverages trusted, signed binaries to evade security restrictions, effectively using the browser as a covert download tool. The activity is characterized by a headless browser being launched from a suspicious parent process, such as a script host, Office application, or command shell, with arguments that facilitate scripted content retrieval like --headless*, --dump-dom, *http*, and data:text/html;base64,*. Defenders should monitor for such anomalous browser behavior to identify and prevent malicious file downloads.

Attack Chain

A user unknowingly executes a malicious script or document (e.g., via phishing or drive-by download).
The script (e.g., PowerShell, VBScript) or document macro initiates a process, such as cmd.exe or powershell.exe.
The parent process spawns a headless browser instance (chrome.exe, msedge.exe, etc.) with the --headless argument.
Additional arguments are passed to the headless browser to specify a URL for download or base64 encoded content (--dump-dom *http*, data:text/html;base64,*).
The headless browser retrieves the content from the specified URL or decodes the base64 data.
The browser saves the downloaded content to disk, often in a user-writable directory.
The initial script or document executes the downloaded file or uses it for further malicious activities.
The attacker achieves their objective, such as establishing persistence, exfiltrating data, or deploying ransomware.

Impact

Successful exploitation can lead to arbitrary code execution, data compromise, and system compromise. Attackers can use this technique to download malware, bypass security controls, and establish a foothold in the compromised system. The impact can range from individual workstation compromise to large-scale network infiltration, depending on the attacker’s objectives and the privileges of the compromised user.

Recommendation

Deploy the Sigma rules in this brief to your SIEM to detect suspicious headless browser activity, tuning for your environment.
Enable process creation logging and command-line auditing to capture the necessary data for the Sigma rules.
Investigate alerts generated by the Sigma rules, focusing on the parent process, browser arguments, and downloaded file artifacts.
Review and harden application control policies to restrict the execution of headless browsers from suspicious parent processes.
Monitor network connections from headless browsers to identify potential command and control traffic or data exfiltration attempts.

DNS Queries to RMM Domains from Non-Browser Processes

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

This brief focuses on the abuse of legitimate Remote Monitoring and Management (RMM) software by threat actors. RMM tools are often used for legitimate IT administration but can be leveraged for malicious purposes such as command and control, persistence, and lateral movement within a compromised network. This activity is identified by detecting DNS queries to a list of known RMM service domains originating from processes that are not typical web browsers. This behavior indicates that an RMM client, script, or other non-browser application is attempting to communicate with an RMM service. The detection rule was published on 2026-03-23 by Elastic and aims to surface unauthorized or malicious use of RMM tools within an organization. It is crucial to differentiate between legitimate and malicious RMM usage by analyzing the context of these DNS queries.

Attack Chain

An attacker gains initial access to a Windows system through an unknown method.
The attacker installs or deploys a legitimate RMM tool or a modified version.
The RMM agent is configured to communicate with the attacker’s command and control infrastructure.
A non-browser process (e.g., a script or a standalone executable) initiates a DNS query to resolve an RMM domain (e.g., teamviewer.com, anydesk.com).
The DNS query is resolved, establishing a network connection between the compromised system and the RMM service or attacker-controlled server.
The attacker leverages the RMM tool to execute commands, transfer files, and maintain persistent access to the compromised system.
The attacker performs lateral movement to other systems within the network, utilizing the RMM tool for remote administration.
The attacker achieves their objective, such as data exfiltration or ransomware deployment, using the established RMM connection.

Impact

Compromise via RMM tools can lead to significant damage, including unauthorized access to sensitive data, disruption of business operations, and potential ransomware attacks. Successful exploitation allows attackers to maintain persistent access and control over affected systems, facilitating lateral movement and further malicious activities. The widespread use of RMM tools in various sectors makes this a broad threat. The impact can range from a single compromised workstation to the complete takeover of an organization’s IT infrastructure.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect DNS queries to RMM domains from non-browser processes and tune for your environment.
Review the IOC list of RMM domains and block any unauthorized RMM services at your DNS resolver.
Investigate any alerts generated by the Sigma rule by examining the process tree and verifying the legitimacy of the process initiating the DNS query.
Implement application control policies to restrict the execution of unauthorized RMM tools on your endpoints.
Enable Sysmon DNS event logging to activate the rules above.

Kimsuky Malware Using Dropbox API for Command and Control

hello@craftedsignal.io — Thu, 19 Mar 2026 12:00:00 +0000

Kimsuky, a North Korean APT group, has been observed utilizing malware that leverages the Dropbox API for command and control (C2). This allows the malware to blend in with legitimate network traffic, making detection more challenging. The malware uses the Dropbox API to upload stolen data and download commands from the attackers. This method provides a covert channel for exfiltration and control, bypassing traditional network-based security measures. The group has been known to target South Korean entities, but the scope of targeting may extend beyond this region. This technique has been observed starting in early 2026.

Attack Chain

Initial access is gained through an unconfirmed vector, such as spear phishing or watering hole attacks, delivering an initial downloader.
The downloader executes and establishes persistence, potentially by creating scheduled tasks or modifying registry keys.
The malware initializes the Dropbox API, authenticating with stolen or embedded API keys.
The malware enumerates files on the compromised system, targeting documents, credentials, and other sensitive data.
Stolen data is compressed and encrypted before being uploaded to a designated Dropbox folder controlled by the attacker, using the Dropbox API.
The malware periodically checks the attacker’s Dropbox folder for new commands, also using the Dropbox API.
Downloaded commands are decrypted and executed on the compromised system, enabling actions such as remote code execution or further data exfiltration.
The cycle of data exfiltration and command execution continues, allowing the attacker to maintain persistent access and control over the compromised system.

Impact

Successful attacks can lead to significant data breaches, intellectual property theft, and espionage. Kimsuky’s targeting of South Korean entities suggests a focus on political and strategic intelligence gathering. The use of Dropbox as a C2 channel allows the attackers to remain undetected for extended periods, maximizing the impact of the compromise. The number of victims is currently unknown, but the potential for widespread compromise is high.

Recommendation

Monitor network traffic for unusual API calls to Dropbox, especially from unknown or suspicious processes (see: “Detect Suspicious Dropbox API Usage” Sigma rule).
Implement strict access controls and monitoring for Dropbox API usage within the organization.
Investigate and block any suspicious processes attempting to access Dropbox API endpoints.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Powercat PowerShell Implementation Detection

hello@craftedsignal.io — Mon, 04 Nov 2024 14:27:00 +0000

Powercat is a PowerShell script that functions similarly to the traditional Netcat utility, allowing for network communication using TCP and UDP. Attackers can use Powercat to establish reverse shells, transfer files, and perform port scanning within a compromised environment. This activity is often employed during post-exploitation phases to maintain access and propagate further into the network. Defenders should be aware of PowerShell scripts invoking Powercat, especially in environments…

Suspicious ScreenConnect Client Child Process Activity

hello@craftedsignal.io — Thu, 16 May 2024 16:10:00 +0000

This threat brief focuses on the detection of suspicious activities related to the ScreenConnect remote access tool. ScreenConnect is a legitimate remote support software, but adversaries can exploit it to execute unauthorized commands on compromised systems. This detection identifies suspicious child processes spawned by ScreenConnect client processes, such as ScreenConnect.ClientService.exe or ScreenConnect.WindowsClient.exe, which can indicate malicious activities such as spawning PowerShell or cmd.exe with unusual arguments. This activity can indicate potential abuse of remote access capabilities, leading to data exfiltration, command and control communication, or the establishment of persistence mechanisms. Recent exploitation of CVE-2024-1709 and CVE-2024-1708 have highlighted the risk associated with ScreenConnect exploitation.

Attack Chain

The attacker gains unauthorized access to a system with ScreenConnect installed. This could be achieved through exploiting vulnerabilities like CVE-2024-1709 and CVE-2024-1708, or through credential compromise.
The attacker uses ScreenConnect to connect to the compromised system remotely.
The attacker uses the ScreenConnect interface to execute commands on the remote system.
The attacker spawns a command interpreter, such as cmd.exe, using ScreenConnect. This process is a child process of the ScreenConnect client process.
The attacker uses cmd.exe to execute malicious commands, such as downloading and executing a malicious payload.
Alternatively, the attacker spawns powershell.exe with encoded commands or commands to download and execute malicious payloads from a remote server.
The attacker establishes persistence by creating a scheduled task using schtasks.exe or creates a new service using sc.exe.
The attacker uses tools like net.exe to modify user accounts or privileges to maintain access to the compromised system.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, installation of malware, and establishment of persistent access to the compromised system. This can result in data theft, disruption of services, and further lateral movement within the network. The number of victims and specific sectors targeted varies depending on the attacker’s objectives, but the impact can be significant for organizations relying on ScreenConnect for remote support.

Recommendation

Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious child processes spawned by ScreenConnect and tune for your environment.
Monitor process creation events for ScreenConnect client processes spawning suspicious child processes like powershell.exe, cmd.exe, net.exe, schtasks.exe, sc.exe, rundll32.exe, mshta.exe, certutil.exe, wscript.exe, cscript.exe, curl.exe, ssh.exe, scp.exe, wevtutil.exe, wget.exe, or wmic.exe as detailed in the Sigma rules.
Enable Sysmon process-creation logging to capture the necessary process execution data to activate the rules above.
Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe as described in the attack chain.

GenAI Process Connection to Unusual Domain on macOS

hello@craftedsignal.io — Thu, 02 May 2024 14:22:30 +0000

This threat brief addresses the risk of GenAI tools on macOS connecting to unusual domains, which may indicate a compromised state. Attackers can exploit GenAI tools through prompt injection, malicious MCP (Model Context Protocol) servers, or poisoned plugins to establish command-and-control (C2) channels or exfiltrate sensitive data. Given the network access capabilities of AI agents, adversaries may manipulate them to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. The Elastic detection rule 9050506c-df6d-4bdf-bc82-fcad0ef1e8c1 focuses on identifying such anomalous network connections originating from a predefined list of GenAI processes, excluding known legitimate domains. The rule has been actively maintained since its creation on December 4, 2025, with its latest update on April 29, 2026.

Attack Chain

Adversary compromises a GenAI tool on a macOS system through prompt injection, malicious MCP servers, or poisoned plugins.
The compromised GenAI tool is configured to connect to an attacker-controlled domain for C2.
The GenAI process initiates a network connection attempt to the unusual domain using standard web protocols (HTTP/HTTPS).
The macOS system’s network stack resolves the attacker’s domain to its corresponding IP address.
The GenAI process sends data to the attacker-controlled domain, potentially including sensitive information.
The attacker uses the C2 channel to send commands to the compromised GenAI tool.
The GenAI tool executes the commands, potentially leading to further compromise or data exfiltration.

Impact

Compromised GenAI tools can lead to data exfiltration, unauthorized access to sensitive information, and the establishment of persistent C2 channels within an organization’s network. The impact ranges from the loss of intellectual property and customer data to the potential disruption of business operations. The risk is amplified if the GenAI tool has access to internal systems or sensitive data stores, allowing attackers to pivot and escalate their attacks.

Recommendation

Deploy the Sigma rule “GenAI Process Connecting to Unusual Domain” to your SIEM and tune for your environment (see rule below).
Enable process creation and network connection logging on macOS endpoints to collect the data required for the Sigma rule.
Investigate any alerts generated by the Sigma rule to determine the legitimacy of the domain and the GenAI process’s behavior.
Block any identified malicious domains at the network level (see query in the provided source).
Review the GenAI tool’s configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.
Regularly update the list of allowed domains in the Sigma rule’s filter to account for legitimate updates to GenAI tool infrastructure.

MsXsl.exe Network Connection for Defense Evasion

hello@craftedsignal.io — Tue, 30 Jan 2024 10:00:00 +0000

MsXsl.exe is a Windows utility designed to transform XML data using XSLT stylesheets. Adversaries are known to abuse this utility to execute malicious scripts, bypassing application control and other security measures. This behavior is often used as a defense evasion technique to download or execute malicious payloads. This activity has been observed since at least March 2020. The abuse of msxsl.exe allows attackers to establish command and control or exfiltrate sensitive data without being easily detected, as the tool is a signed Microsoft binary. This matters for defenders because it highlights the need to monitor legitimate system utilities for anomalous behavior, specifically network connections to external IP addresses.

Attack Chain

An attacker gains initial access to a Windows system through unspecified means.
The attacker leverages msxsl.exe to execute a malicious script.
Msxsl.exe initiates a network connection to an external IP address.
The script downloads a malicious payload from the external server.
The downloaded payload is executed on the compromised system.
The attacker establishes a command and control channel through the network connection.
The attacker performs data exfiltration via the established C2 channel.

Impact

Compromised systems can be used for further malicious activities, including data theft, lateral movement, and deployment of additional malware. Successful exploitation can lead to sensitive data exfiltration, disruption of services, or complete system compromise. The low risk score does not represent impact, but instead reflects that the behavior is not always malicious, and may be a feature of normal software operation.

Recommendation

Enable Sysmon network connection logging to monitor msxsl.exe network activity.
Deploy the Sigma rule “Network Connection via MsXsl” to your SIEM and tune for your environment to detect suspicious network connections originating from msxsl.exe.
Investigate any alerts generated by the Sigma rule, focusing on the destination IP address and the parent process of msxsl.exe.
Whitelist legitimate uses of msxsl.exe in your environment based on known good processes or applications to reduce false positives.

Potential Abuse of Certreq for File Transfer via HTTP POST

hello@craftedsignal.io — Sun, 28 Jan 2024 20:47:00 +0000

The Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.

Attack Chain

An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
The attacker executes Certreq.exe with the -Post argument to initiate an HTTP POST request.
The Certreq process attempts to connect to a remote server to send or receive data.
The remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.
The downloaded file is saved to disk (if applicable).
The attacker may execute the downloaded file or further process the exfiltrated data.
The attacker may attempt to clean up the Certreq command from command history or logs to evade detection.

Impact

Successful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker’s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.

Recommendation

Deploy the Sigma rule “Detect Certreq HTTP Post Request” to your SIEM to identify potential abuse of Certreq for file transfer.
Enable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.
Monitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.
Investigate any instances of Certreq.exe executing with the -Post argument, as this is not typical usage of the utility.

Remote File Download via Script Interpreter

hello@craftedsignal.io — Sun, 28 Jan 2024 12:00:00 +0000

Attackers commonly use Windows Script Host (WSH) scripts as an initial access method or to download tools and utilities. This involves using built-in Windows script interpreters like cscript.exe or wscript.exe to download executable files from remote destinations. This behavior is significant because it allows attackers to bypass traditional defenses and establish a foothold in the system or download further tools. Defenders should monitor for suspicious network connections initiated by script interpreters followed by the creation of executable files on the system.

Attack Chain

An attacker gains initial access to a Windows system (delivery mechanism not specified in source).
The attacker executes a script using cscript.exe or wscript.exe.
The script interpreter makes an outbound network connection to a remote server.
The remote server hosts a malicious executable file (e.g., .exe, .dll).
The script downloads the malicious executable to the compromised system.
The downloaded file is saved to disk.
The attacker executes the downloaded malicious file to establish persistence or further compromise the system.
The attacker performs additional actions, such as lateral movement or data exfiltration (not detailed in the source).

Impact

Successful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system. This can result in data breaches, financial losses, and reputational damage. The source does not contain specific victim numbers or sectors targeted.

Recommendation

Deploy the Sigma rule “Remote File Download via Script Interpreter - File Creation” to your SIEM to detect the creation of executable files after network activity from cscript.exe or wscript.exe.
Deploy the Sigma rule “Remote File Download via Script Interpreter - Network Connection” to detect network connections from cscript.exe or wscript.exe.
Enable Sysmon Event ID 3 (Network Connection) and Event ID 11 (File Create) for enhanced visibility into network and file activity related to script interpreters.

Unusual Network Connection via RunDLL32

hello@craftedsignal.io — Fri, 26 Jan 2024 10:00:00 +0000

Attackers often abuse the rundll32.exe utility to execute malicious Dynamic Link Libraries (DLLs), blending their activity with legitimate system operations. This detection identifies instances where rundll32.exe establishes outbound network connections, particularly when executed without command-line arguments. Such behavior deviates from typical usage and may indicate command and control (C2) activity or other malicious actions. The rule is designed to detect command and control activity where adversaries are using rundll32.exe without arguments to make external network connections. The rule uses data from Elastic Defend, Sysmon, and SentinelOne to detect this behavior. The rule specifically excludes connections to well-known private and reserved IP ranges to reduce false positives.

Attack Chain

An attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.
The attacker attempts to execute a malicious DLL using rundll32.exe without specifying arguments, which is an anomaly.
rundll32.exe is invoked with a command line resembling: rundll32.exe .
The malicious DLL initiates an outbound network connection to an external IP address.
The network connection attempts to bypass firewall rules by masquerading as a legitimate system process.
The attacker uses this connection to establish a command and control channel.
Data exfiltration or further exploitation activities occur over the established C2 channel.
The attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.

Impact

Successful exploitation allows attackers to establish command and control channels on compromised systems, leading to potential data exfiltration, lateral movement within the network, and deployment of ransomware. This can result in significant financial losses, reputational damage, and disruption of business operations. The impact is broad, affecting any Windows environment where rundll32.exe is used.

Recommendation

Deploy the Sigma rule Detect Unusual Network Connection via RunDLL32 to your SIEM and tune for your environment to detect unusual network connections made by rundll32.exe.
Enable Sysmon process creation and network connection logging to capture necessary events for the Sigma rule.
Investigate any alerts generated by the Sigma rule, focusing on the parent processes of rundll32.exe and the destination IP addresses of the network connections.
Review and harden firewall rules to prevent unauthorized outbound connections from system processes like rundll32.exe.
Implement application control policies to restrict the execution of unsigned or untrusted DLLs via rundll32.exe.

First Time Seen Remote Monitoring and Management Tool Execution

hello@craftedsignal.io — Wed, 24 Jan 2024 12:00:00 +0000

Attackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.

Attack Chain

Initial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.
Tool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.
Persistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.
Command and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.
Lateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.
Data Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.
Cleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.

Impact

Compromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.

Recommendation

Deploy the process creation rule to detect the execution of RMM tools on endpoints based on process.name and process.code_signature.subject_name criteria in the query.
Enable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.
Investigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.

Curl or Wget Execution from Container Context

hello@craftedsignal.io — Tue, 23 Jan 2024 12:00:00 +0000

This detection rule identifies instances of curl or wget being executed from within containers managed by runc on Linux systems. The rule leverages Auditd Manager to monitor system calls and flags processes running with the title runc init that then execute curl or wget. This activity is noteworthy because attackers often use these tools to download malicious payloads (stagers, scripts, implants) or to exfiltrate data after compromising a container. While these tools can be used legitimately within containers, their execution in the context of runc init suggests a higher risk of malicious activity. The rule focuses on narrowing the signal to the container runtime boundary where unexpected download clients are more worthy of review. The rule specifically leverages Auditd Manager for data collection.

Attack Chain

An attacker gains initial access to a host system, possibly through exploiting a vulnerability in an application running outside the container (e.g., web application).
The attacker identifies a containerized application running on the compromised host.
The attacker exploits a vulnerability within the container, or abuses a privileged workload within the container, to gain elevated privileges or code execution within the container.
The attacker uses curl or wget to download additional tools or scripts into the container. These tools might include reverse shells, credential dumping tools, or data exfiltration utilities.
The attacker executes the downloaded tools to further compromise the container or the underlying host.
The attacker uses curl or wget to stage data for exfiltration to an external server. This may involve compressing and encoding data before transmission.
The attacker initiates the data exfiltration process using curl or wget to send the staged data to a remote server controlled by the attacker.
The attacker achieves their final objective, which could include data theft, system disruption, or further lateral movement within the network.

Impact

Compromised containers can lead to data breaches, service disruptions, and further attacks on internal systems. Successful exploitation could allow attackers to steal sensitive data, install malware, or pivot to other parts of the network, impacting confidentiality, integrity, and availability. The number of affected systems depends on the scope of the container deployment and the privileges granted to the compromised container.

Recommendation

Deploy the Sigma rule Detect Curl or Wget Execution from Container Context to your SIEM and tune for your environment.
Enable Auditd Manager with syscall coverage including execve to capture process execution and arguments within containers, as mentioned in the rule’s setup instructions.
Correlate alerts from this rule with network logs to identify the destination IP addresses and domains contacted by the compromised container.
Baseline trusted images and exclude stable image digests or namespaces when noisy to reduce false positives, as suggested in the rule’s false positives section.

Uncommon Destination Port Connection by Web Server on Linux

hello@craftedsignal.io — Tue, 09 Jan 2024 18:28:00 +0000

This detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.

Attack Chain

Initial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).
A web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.
The attacker interacts with the web shell through HTTP requests, using it as a command and control interface.
The web shell executes commands on the server, initiating outbound network connections to non-standard ports.
These connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.
The attacker uses the web shell to move laterally within the network, targeting other systems and services.
The attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.
The final objective is data theft, system compromise, or disruption of services.

Impact

Compromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker’s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.
Enable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.
Review and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization’s specific network configuration and legitimate traffic patterns.
Investigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.

Potential DGA Activity Detected by Machine Learning

hello@craftedsignal.io — Tue, 09 Jan 2024 15:00:00 +0000

This brief describes a detection of potential DGA (Domain Generation Algorithm) activity identified by an Elastic machine learning job. DGAs are often used by malware for command and control (C2) communication, generating domain names dynamically to evade detection. The machine learning job, dga_high_sum_probability_ea, analyzes DNS requests to identify source IP addresses that exhibit a high probability of DGA activity. This detection relies on the DGA Detection integration, which includes an ML-based framework to detect DGA activity in DNS events. The integration requires Fleet and DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. This activity matters for defenders because successful DGA-based C2 channels can allow malware to maintain communication and control even when individual malicious domains are blocked.

Attack Chain

The attacker compromises a host within the network, potentially through unpatched vulnerabilities or social engineering.
Malware is deployed on the compromised host. This malware contains a DGA.
The malware uses the DGA to generate a list of potential domain names.
The compromised host initiates DNS requests to resolve the generated domain names.
The DNS requests are sent to internal or external DNS servers.
The machine learning job dga_high_sum_probability_ea analyzes the DNS requests, specifically looking for source IPs with a high aggregate probability of generating DGA domains.
If the anomaly score exceeds the threshold (70), an alert is triggered.
The malware successfully establishes a C2 channel with a dynamically generated domain, enabling further malicious activities such as data exfiltration or lateral movement.

Impact

The successful exploitation of DGA-based command and control can lead to persistent malware infections, data exfiltration, and further compromise of systems within the network. While the severity is rated low, the potential impact can escalate quickly if the C2 channel is used for more damaging activities. This detection focuses on identifying potential DGA activity, enabling security teams to investigate and prevent further damage.

Recommendation

Ensure the DGA Detection integration is installed and properly configured, including the machine learning job dga_high_sum_probability_ea (references: Elastic DGA Detection documentation, prebuilt ML jobs).
Verify that DNS events are being collected by Elastic Defend, Network Packet Capture, or Packetbeat and that the data view used by the machine learning job includes these events (references: Elastic Defend, Network Packet Capture, Packetbeat).
Tune the anomaly threshold (currently 70) in the machine learning job based on your environment to reduce false positives and ensure timely detection of DGA activity.
Review and implement the triage and analysis steps outlined in the rule’s note section, focusing on identifying the source IP, analyzing DNS request patterns, and cross-referencing domains with threat intelligence feeds.

MSBuild Making Network Connections Indicating Potential Defense Evasion

hello@craftedsignal.io — Tue, 09 Jan 2024 12:00:00 +0000

Attackers may abuse the Microsoft Build Engine (MSBuild) to execute malicious files or masquerade as legitimate utilities to bypass detections and evade defenses. MSBuild is a platform for building applications using an XML schema for project files that controls how the build platform processes and builds software. The observed behavior involves MsBuild.exe initiating outbound network connections, which is not typical for its intended use and may indicate unauthorized code execution or command and control activity. This activity can be used to download malicious payloads, exfiltrate data, or establish a reverse shell. Detecting this behavior is crucial as it can be an early indicator of compromise.

Attack Chain

Attacker gains initial access through an external vector (e.g., phishing, software vulnerability).
Attacker executes MsBuild.exe.
MSBuild executes a malicious project file (.csproj, .vbproj).
The project file contains embedded or referenced code (e.g., C#, VB.NET) designed to perform malicious actions.
The malicious code executes, initiating a network connection.
The network connection is established to an external command and control (C2) server or a resource hosting a malicious payload.
Data exfiltration or payload download occurs via the network connection.
The attacker gains further control over the compromised system, potentially leading to lateral movement or data theft.

Impact

Compromised systems can lead to data breaches, system instability, and further propagation of malware within the network. Successful exploitation can result in sensitive information being stolen, disruption of services, and potential financial losses. This activity can be difficult to detect without specific monitoring rules and can lead to extended dwell time for attackers within the compromised environment.

Recommendation

Deploy the Sigma rule MSBuild Making Outbound Network Connection to your SIEM to detect suspicious network connections initiated by MsBuild.exe.
Investigate any alerts generated by the Sigma rule, focusing on the destination IP addresses and the content of the network traffic.
Monitor process execution events for instances of MsBuild.exe executing unusual or suspicious project files.
Enable process monitoring with command-line argument logging to identify potential malicious project files being passed to MsBuild.exe.
Consider implementing application control policies to restrict the execution of MsBuild.exe to authorized users and processes only.
Block known malicious domains and IP addresses associated with command and control activity at the firewall or DNS resolver.

Apache Struts CVE-2023-50164 Exploitation Leading to Web Shell Deployment

hello@craftedsignal.io — Fri, 05 Jan 2024 18:22:00 +0000

CVE-2023-50164 is a critical path traversal vulnerability affecting Apache Struts 2 versions prior to 2.5.33 or 6.3.0.2. The vulnerability resides in the file upload functionality, allowing attackers to manipulate file upload parameters and write malicious files, such as JSP web shells, to arbitrary locations on the web server. Successful exploitation leads to remote code execution. Detection focuses on correlating suspicious file upload requests to Struts endpoints with subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. The attack involves crafting malicious multipart/form-data POST requests with WebKitFormBoundary to Struts .action upload endpoints.

Attack Chain

The attacker sends a malicious HTTP POST request to a vulnerable Apache Struts endpoint (e.g., *.action).
The HTTP POST request contains a multipart/form-data content type with a WebKitFormBoundary string.
The request exploits CVE-2023-50164, leveraging a path traversal vulnerability in the file upload process.
The attacker bypasses security controls due to the path traversal vulnerability.
The attacker uploads a malicious JSP file (web shell) to a web-accessible directory, such as Tomcat’s webapps directory.
A Java process (e.g., Tomcat) creates the JSP web shell file in the webapps directory.
The attacker accesses the deployed web shell via HTTP.
The attacker executes arbitrary commands on the server through the web shell.

Impact

Successful exploitation of CVE-2023-50164 allows attackers to achieve remote code execution on the affected server. This can lead to complete system compromise, data exfiltration, deployment of malware, and lateral movement within the network. The vulnerability affects Apache Struts 2 applications using the file upload feature, potentially impacting numerous organizations across various sectors using the framework.

Recommendation

Deploy the Sigma rule “Apache Struts CVE-2023-50164 Webshell Creation” to detect JSP file creation events in webapps directories following suspicious POST requests as described in the overview.
Deploy the Sigma rule “Apache Struts CVE-2023-50164 Suspicious POST Request” to detect suspicious POST requests to Struts endpoints with multipart/form-data content containing WebKitFormBoundary, as indicated in the Attack Chain.
Patch Apache Struts 2 to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability, as noted in the References.
Enable HTTP request body capture in network traffic monitoring tools to detect the multipart/form-data content containing WebKitFormBoundary indicators, as required by the rule setup.

Detection of Command and Control Activity via Commonly Abused Web Services

hello@craftedsignal.io — Thu, 04 Jan 2024 12:00:00 +0000

Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. This detection focuses on identifying connections from Windows hosts to a predefined list of commonly abused web services from processes running outside of typical program installation directories, indicating a potential C2 channel leveraging legitimate services. The rule aims to detect this behavior by monitoring network connections and DNS requests originating from unusual locations.

Attack Chain

Initial access is achieved via an unknown method (e.g., phishing, exploit).
Malware is installed on the victim’s system, likely outside typical program directories.
The malware establishes a DNS connection to a commonly abused web service (e.g., pastebin.com, raw.githubusercontent.com) to obscure C2 traffic.
The malware sends encrypted or encoded commands to the web service.
The web service acts as an intermediary, relaying the commands to the attacker’s C2 server.
The C2 server responds with instructions, which are then relayed back to the compromised host through the same web service.
The malware executes the received commands, potentially leading to data exfiltration, lateral movement, or other malicious activities.
The attacker maintains persistent access and control over the compromised system using the web service as a hidden C2 channel.

Impact

Successful exploitation can lead to data theft, system compromise, and further propagation within the network. Since commonly used web services are utilized, the malicious activity can blend in with legitimate network traffic, making it difficult to detect. The impact can range from minor data breaches to complete network compromise, depending on the attacker’s objectives and the level of access gained.

Recommendation

Deploy the Sigma rule Detect Commonly Abused Web Services via DNS to your SIEM to identify suspicious DNS queries to known C2 web services originating from anomalous processes.
Enable DNS query logging on Windows endpoints to provide the data source required for the Sigma rule.
Review network connection logs for processes outside standard installation directories communicating with domains listed in the query section of the Sigma rule to identify potential C2 activity.
Implement network segmentation to limit the potential impact of compromised hosts.

Potential Command and Control via Internet Explorer COM Abuse

hello@craftedsignal.io — Wed, 03 Jan 2024 18:12:00 +0000

This detection rule identifies potential command and control (C2) activity abusing Internet Explorer (iexplore.exe) via the Component Object Model (COM) on Windows systems. The technique involves launching iexplore.exe through COM, often using system binaries like rundll32.exe or regsvr32.exe to proxy the execution and evade security controls. The rule focuses on identifying unusual DNS queries originating from iexplore.exe, excluding those directed towards common Microsoft and OCSP-related domains. This tactic allows adversaries to make network connections appearing benign while hosting malicious content or performing C2 functions. The rule is designed for environments using Elastic Defend. The rule was last updated on 2026/05/04.

Attack Chain

Adversary gains initial access to the targeted system (e.g., through phishing or exploiting a vulnerability).
The adversary uses rundll32.exe or regsvr32.exe to load IEProxy.dll, which is used to instantiate Internet Explorer via COM.
Iexplore.exe is launched as a child process of rundll32.exe or regsvr32.exe with the -Embedding flag, indicating it was started via COM.
Iexplore.exe initiates DNS queries to resolve domains for command and control communication or to retrieve malicious payloads.
The DNS queries bypass typical whitelists by using uncommon or attacker-controlled domains.
Iexplore.exe establishes network connections to external IP addresses associated with the malicious domains.
Data is exfiltrated or further commands are received through the established connections.
The adversary maintains persistence and control over the compromised system.

Impact

Successful exploitation allows adversaries to establish a covert command and control channel, potentially leading to data theft, system compromise, or further propagation within the network. The use of Internet Explorer, a trusted system binary, helps evade detection and bypass host-based firewalls. The impact can range from individual workstation compromise to broader network breaches, depending on the attacker’s objectives.

Recommendation

Deploy the Sigma rule Potential Command and Control via Internet Explorer to your SIEM and tune for your environment.
Investigate any alerts generated by the Sigma rule, focusing on the parent processes (rundll32.exe, regsvr32.exe) and the destination domains of the DNS queries.
Monitor process execution events for instances of iexplore.exe being launched with the -Embedding flag, especially when the parent process is rundll32.exe or regsvr32.exe.
Review network connection logs for iexplore.exe to identify any unusual or suspicious outbound connections to domains not associated with standard Microsoft services or internal resources.
Implement network-level controls to block communication with any identified malicious domains.

Network Connection via Compiled HTML File

hello@craftedsignal.io — Wed, 03 Jan 2024 17:00:00 +0000

Adversaries may conceal malicious code in a compiled HTML file (.chm) and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). Attackers can use CHM files to proxy the execution of malicious payloads via a signed binary to bypass security controls, and also to gain initial access to environments via social engineering methods. This rule identifies network connections done by hh.exe, which can potentially indicate abuse to download malicious files or tooling, or masquerading. The detection logic focuses on network connections originating from hh.exe to external IPs, excluding private or reserved IP ranges.

Attack Chain

The user receives a compiled HTML file (.chm), often through social engineering tactics such as phishing.
The user opens the .chm file, which is then executed by the HTML Help executable (hh.exe).
The hh.exe process loads and renders the HTML content within the .chm file.
Embedded within the HTML content is malicious JavaScript or other scripting code.
The malicious script executes, initiating a network connection via hh.exe to an external server.
The external server hosts a malicious payload, such as a reverse shell or an executable file.
Hh.exe downloads the malicious payload to the victim’s machine.
The downloaded payload is executed, granting the attacker initial access or performing other malicious actions like data exfiltration or lateral movement.

Impact

A successful attack can lead to initial access to a victim’s system, potentially bypassing security controls through a signed Microsoft binary. This can result in the download and execution of arbitrary payloads, leading to data exfiltration, lateral movement within the network, or installation of malware. The exploitation can spread rapidly through social engineering, affecting multiple users within an organization. While the severity is rated as medium, the potential for escalation to a critical compromise is high if the attacker gains a foothold in the environment.

Recommendation

Enable process and network monitoring on Windows endpoints, focusing on hh.exe activity (Data Source: Elastic Defend, Sysmon, SentinelOne).
Deploy the Sigma rule Network Connection via Compiled HTML File to your SIEM and tune for your environment to detect suspicious network connections initiated by hh.exe.
Monitor for hh.exe spawning child processes, which could indicate the execution of downloaded payloads. Create a Sigma rule to detect such events.
Implement network segmentation to limit the impact of a compromised host and restrict lateral movement.
Conduct regular security awareness training to educate users about the risks of opening unsolicited .chm files.
Inspect the digital signatures of hh.exe and other system binaries to ensure their integrity and authenticity.

Remote File Download via PowerShell

hello@craftedsignal.io — Wed, 03 Jan 2024 15:25:00 +0000

Attackers frequently use PowerShell, a legitimate administration tool, to download malicious payloads into compromised systems. This technique allows them to bypass traditional security measures by leveraging a trusted tool. This activity often occurs during the command and control phase, where attackers introduce additional tooling or malware for further exploitation. This rule identifies instances where PowerShell downloads executable and script files from untrusted remote destinations. It does this by correlating network and file events, specifically looking for PowerShell processes initiating network connections to non-whitelisted domains followed by the creation of executable or script files. The rule helps defenders identify and respond to potential command and control activity and malware deployment attempts.

Attack Chain

An attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.
The attacker uses PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to initiate a network connection to a remote domain.
The DNS request is made to a domain not in the allowed list (e.g., not *.microsoft.com, *.azureedge.net, etc.).
PowerShell downloads a file with an executable extension (e.g., .exe, .dll, .ps1, .bat) or a file with a MZ header.
The downloaded file is saved to disk.
The file is saved to a location that is not excluded by the rule, filtering out commonly used temporary directories.
The downloaded executable or script is then executed, leading to further malicious activities.
The attacker achieves persistence, lateral movement, or data exfiltration depending on the downloaded payload.

Impact

A successful attack can lead to the introduction of malware, backdoors, or other malicious tools into the compromised system. This can enable attackers to perform a wide range of malicious activities, including data theft, system compromise, and further propagation within the network. The compromised system can become a beachhead for further attacks, potentially impacting numerous systems and leading to significant financial and reputational damage.

Recommendation

Deploy the Sigma rule PowerShell Remote File Download to detect PowerShell processes downloading executable files from untrusted remote destinations by correlating network and file creation events.
Enable Elastic Defend to provide the necessary network and file event data for the rule to function correctly as noted in the setup instructions.
Investigate any alerts generated by the Sigma rule, focusing on the parent process of the PowerShell process, the reputation of the downloaded file, and any other suspicious activities on the affected host, as per the investigation guide in the rule’s note field.
Review and customize the whitelisted domains in the Sigma rule to match your organization’s specific environment and trusted external resources, as described in the query field.
Block the identified malicious domains or IP addresses at the network perimeter to prevent further downloads.

Detection of Command and Control Activity via Common Web Services

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.

Attack Chain

A user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).
The malicious file executes a process outside of typical program directories (e.g., C:\Windows\Temp).
This process initiates a DNS query to a domain associated with a commonly abused web service (e.g., pastebin.com, githubusercontent.com).
The DNS query resolves to an IP address, and a network connection is established to the web service.
The malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.
The web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.
The attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.

Impact

A successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.

Recommendation

Deploy the Sigma rule “Connection to Commonly Abused Web Services” to your SIEM and tune it for your environment to minimize false positives.
Enable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the “DNS Query to Commonly Abused Web Services” rule.
Investigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.
Review and update the list of excluded processes in the Sigma rule to reflect your organization’s approved software and reduce false positives.

RDP (Remote Desktop Protocol) from the Internet

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

Remote Desktop Protocol (RDP) is a common tool for system administrators to remotely manage systems, however, exposing RDP directly to the internet creates a significant attack surface. Threat actors frequently target and exploit RDP for initial access, lateral movement, and establishing backdoors within compromised networks. This activity is detected by monitoring network traffic for RDP connections originating from outside the internal network (RFC1918 IP ranges). This is important because successful RDP compromise often leads to broader network infiltration and data exfiltration. This detection focuses on the network level characteristics of RDP connections from the internet to internal assets.

Attack Chain

An attacker identifies a publicly accessible RDP service.
The attacker attempts to brute-force RDP login credentials or exploits a known RDP vulnerability (e.g. BlueKeep CVE-2019-0708).
Upon successful authentication or exploitation, the attacker gains remote access to the targeted system.
The attacker uses the compromised system as a pivot point to perform reconnaissance on the internal network.
The attacker moves laterally within the network using stolen credentials or by exploiting other vulnerabilities.
The attacker installs malware or establishes persistence mechanisms (e.g., creating new user accounts or modifying system configurations).
The attacker gathers sensitive data from internal systems.
The attacker exfiltrates the stolen data to an external server or deploys ransomware.

Impact

Compromised RDP services can lead to significant data breaches, system downtime, and financial losses. Attackers can leverage RDP access to steal sensitive information, install ransomware, or disrupt critical business operations. While the number of affected organizations varies, RDP exploitation remains a prevalent attack vector, especially for organizations with inadequate security practices. The impact of a successful RDP attack ranges from several thousands to millions of dollars, depending on the size of the organization and the sensitivity of the compromised data.

Recommendation

Deploy the “RDP (Remote Desktop Protocol) from the Internet” Sigma rule to your SIEM to detect unauthorized RDP connections from outside the network.
Review firewall rules and network configurations to ensure RDP services are not exposed directly to the internet. Implement a VPN or RDP gateway for secure remote access.
Enable and monitor network traffic logs (category: network_traffic, product: windows|linux|macos) to provide data for the Sigma rule.
Investigate any alerts generated by the Sigma rule, focusing on the source IP address and user accounts involved in the RDP connection.
Implement network segmentation to limit the blast radius of a potential RDP compromise.

Kubernetes Pod Exec with Curl or Wget to HTTPS

hello@craftedsignal.io — Wed, 03 Jan 2024 14:27:00 +0000

This detection rule identifies suspicious activity within Kubernetes environments where attackers leverage kubectl exec or similar API calls to execute commands within pods. Specifically, it focuses on instances where these commands involve using curl or wget to retrieve content over HTTPS. Attackers may use this technique to download malicious scripts, tools, or exfiltrate sensitive data from compromised pods. This activity is flagged based on decoded request URIs from Kubernetes audit logs, reconstructed command strings, and filtering of benign traffic related to cluster health checks and OIDC/JWKS endpoints. The rule aims to detect anomalous behavior that deviates from typical pod execution patterns, helping defenders identify potential intrusions or misuse of pod execution privileges. The rule was created on 2026/04/23 and last updated on 2026/04/23 according to the source.

Attack Chain

An attacker gains unauthorized access to the Kubernetes cluster, possibly through compromised credentials or a vulnerability.
The attacker identifies a target pod within the cluster to execute commands within.
The attacker uses kubectl exec or a similar API call to initiate a shell session within the target pod.
The attacker crafts a command using curl or wget to download a malicious script, tool, or exfiltrate data over HTTPS. The URL is often encoded in the requestURI.
The Kubernetes API server records the exec call and its parameters in the audit logs.
The detection rule decodes the requestURI, extracts the command string, and identifies the use of curl or wget with an HTTPS URL.
The rule filters out known benign URLs associated with cluster health checks or OIDC/JWKS endpoints.
If the command is identified as malicious, an alert is triggered, indicating a potential compromise.

Impact

Successful exploitation can lead to the deployment of malicious tools within the Kubernetes environment, potentially enabling lateral movement, data theft, or denial-of-service attacks. Compromised pods could expose sensitive data or be used as a launchpad for further attacks on the cluster or other systems. The scope of impact depends on the permissions granted to the compromised pod and the attacker’s objectives.

Recommendation

Deploy the Sigma rule “Kubernetes Pod Exec with Curl or Wget to HTTPS” to your SIEM and tune for your environment.
Review Kubernetes RoleBindings for pods/exec to ensure only required principals retain access on sensitive namespaces.
Investigate any alerts generated by the Sigma rule by reviewing the decoded URI and reconstructed command in the alert details.
Implement network policies to restrict egress traffic from pods, limiting the potential for data exfiltration via HTTPS.
Regularly audit Kubernetes audit logs for suspicious activity related to pod execution and API calls.

Unusual Network Connection via DllHost

hello@craftedsignal.io — Wed, 03 Jan 2024 14:00:00 +0000

The detection rule identifies unusual instances of dllhost.exe making outbound network connections, which may indicate adversarial command and control activity. Dllhost.exe is a legitimate Windows process used to host DLL services. Adversaries may exploit it for stealthy command and control by initiating unauthorized network connections to non-local IPs. This approach helps in identifying potential threats by focusing on unusual network behaviors associated with this process. The rule aims to detect activity related to defense evasion, where adversaries use system binaries to proxy execution. The detection logic relies on identifying dllhost.exe processes initiating network connections to destinations outside of commonly used private IP ranges.

Attack Chain

An attacker gains initial access to a Windows system (e.g., via phishing or exploitation).
The attacker executes a malicious DLL file on the compromised system.
The attacker uses dllhost.exe to host and execute the malicious DLL.
The malicious DLL initiates a network connection to an external IP address, bypassing traditional process-based network monitoring.
The attacker establishes a command and control (C2) channel via the dllhost.exe process.
The attacker uses the C2 channel to send commands and receive data from the compromised system.
The attacker performs lateral movement within the network.
The attacker exfiltrates sensitive data from the compromised network.

Impact

A successful attack can lead to the establishment of a covert command and control channel, allowing attackers to remotely control the compromised system. This can result in data theft, further compromise of the network, and potential financial loss. The references point to APT29 activity, suggesting sophisticated actors may leverage this technique.

Recommendation

Enable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to enhance visibility of process execution and network activity (https://ela.st/sysmon-event-1-setup, https://ela.st/sysmon-event-3-setup).
Deploy the Sigma rule Unusual Network Connection via DllHost to your SIEM to detect suspicious outbound connections from dllhost.exe.
Investigate and whitelist legitimate software updates or enterprise applications that use dllhost.exe for network communications to reduce false positives, as described in the rule’s analysis notes.

Suspicious CertUtil Commands Used for Defense Evasion

hello@craftedsignal.io — Wed, 03 Jan 2024 14:00:00 +0000

CertUtil is a command-line utility included with Windows, designed for managing digital certificates and certificate services. Attackers frequently abuse it to “live off the land” by downloading malware, deobfuscating files, and establishing command and control channels within compromised environments. This activity leverages certutil.exe to perform actions typically associated with malicious payloads, blending in with legitimate system activity and evading traditional security measures. The tool’s capability to encode, decode, and retrieve files from URLs makes it a versatile asset for attackers aiming to maintain a low profile while executing malicious operations. This detection focuses on identifying specific command-line arguments indicative of this abuse, such as those used for encoding, decoding, and URL retrieval.

Attack Chain

The attacker gains initial access through an undisclosed means (e.g., phishing, exploit).
The attacker executes certutil.exe via cmd.exe or PowerShell.
Certutil is used with the urlcache parameter to download a malicious payload from a remote server.
Certutil uses the decode parameter to decode a base64-encoded payload, saving it to disk.
The attacker uses certutil with encodehex to encode a binary into a hexadecimal representation to evade signature-based detection.
The attacker then uses certutil with decodehex to decode the hexadecimal encoded data.
The attacker executes the decoded payload, gaining further control of the system.
The attacker establishes a command and control channel, using certutil to encode/decode communications.

Impact

Successful exploitation allows attackers to download and execute arbitrary code, bypass security measures, and maintain persistence within the compromised system. This can lead to data exfiltration, system compromise, and further propagation of the attack within the network. The lack of directly observed IOCs in the originating advisory limits quantification of victim count and impact scope, but the technique is widely applicable.

Recommendation

Deploy the Sigma rule “Suspicious CertUtil Usage for Encoding/Decoding” to detect abuse of encoding/decoding functions within certutil.exe, focusing on unusual file types or destinations.
Deploy the Sigma rule “Suspicious CertUtil URL Download” to identify certutil.exe being used to download files from URLs, and tune the rule based on known good software deployment practices.
Enable Sysmon process creation logging to ensure the rules above function correctly by capturing command-line arguments (as referenced in the logsource for each rule).
Review historical process execution logs for instances of certutil.exe using suspicious parameters like decode, encode, urlcache, verifyctl, encodehex, decodehex, or exportPFX to identify potentially compromised systems.

Unusual Windows Processes Connecting to Domains Using Free SSL Certificates

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection rule identifies Windows processes communicating with domains using free SSL certificates from providers like Let’s Encrypt, SSLforFree, ZeroSSL, and FreeSSL. Attackers can leverage these certificates to encrypt command and control (C2) communications, blending malicious traffic with legitimate encrypted web traffic. The rule focuses on detecting unusual processes, specifically those originating from standard Windows system paths that would not typically establish connections to services using free SSL certificates. This excludes known benign processes to reduce false positives and highlight potentially malicious C2 activity. This rule was published on 2020/11/04 and last updated on 2026/05/04.

Attack Chain

An attacker compromises a Windows host.
The attacker installs a malicious agent on the compromised host.
The agent is configured to use a domain that utilizes a free SSL certificate for C2 communication.
The malicious agent establishes a DNS connection to a domain ending in *.letsencrypt.org, *.sslforfree.com, *.zerossl.com, or *.freessl.org.
The infected host bypasses host-based firewalls, as the traffic is encrypted.
The agent receives commands from the C2 server over the encrypted channel.
The attacker executes commands to perform lateral movement or data exfiltration.
The attacker exfiltrates sensitive data from the compromised host.

Impact

Successful exploitation could lead to undetected command and control activity within the network. Attackers could use this encrypted channel to exfiltrate sensitive data, deploy ransomware, or move laterally to other systems. Due to the use of free SSL certificates, the traffic appears legitimate and can bypass basic network security controls. While the rule severity is low, a successful C2 channel can lead to critical impact.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect potentially malicious processes using free SSL certificates for communication, tuning the false positives for your environment.
Investigate any alerts generated by the Sigma rule, focusing on processes not typically associated with network activity originating from the defined Windows system paths.
Monitor DNS query logs for connections to domains using free SSL certificates from unusual or untrusted processes.
Update the Sigma rule with new free SSL certificate providers and adjust the excluded processes based on observed false positives in your environment.
Enable Sysmon Event ID 22 (DNS Query) logging for better visibility into DNS requests.

Suspicious SMTP Activity on Port 26/TCP

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection rule identifies suspicious SMTP activity occurring over TCP port 26. While standard SMTP traffic typically uses port 25, port 26 is sometimes used as an alternative to avoid conflicts or restrictions. The BadPatch malware family has been known to leverage port 26 for command and control (C2) communications with compromised Windows systems. This activity is considered suspicious because legitimate uses of SMTP on port 26 are less common and can indicate malicious activity, such as covert C2 channels used by malware like BadPatch. The rule analyzes network traffic to detect SMTP communication occurring on this non-standard port, helping to identify potential infections or unauthorized network activity.

Attack Chain

Initial infection occurs via an unspecified method (e.g., phishing, exploit).
Malware establishes a foothold on the compromised system.
Malware configures itself to use SMTP on port 26 for C2 communications.
The infected host initiates a TCP connection to a remote server on port 26.
The malware sends commands to the infected host over the SMTP connection on port 26.
The infected host executes the received commands.
The malware may exfiltrate data to the remote server over the SMTP connection on port 26.

Impact

Compromised systems may be remotely controlled by attackers, leading to data theft, malware propagation, or further malicious activities. The use of non-standard ports like 26 can help attackers evade detection. If successful, an attacker can maintain persistence and control over the compromised system.

Recommendation

Deploy the Sigma rule Detect SMTP Traffic on TCP Port 26 to your SIEM and tune for your environment to detect potential command and control activity.
Investigate any network connections on TCP port 26 to identify potentially malicious SMTP traffic.
Review network traffic logs focusing on network_traffic.flow or zeek.smtp events to detect unusual patterns associated with TCP port 26.
Implement firewall rules to block unauthorized SMTP traffic on port 26.
Examine source and destination IP addresses of traffic on port 26, and correlate with threat intelligence sources to identify known malicious actors as per the references.

Suspicious DNS Queries to RMM Domains from Non-Browser Processes

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.

Attack Chain

An attacker gains initial access to a Windows host through unspecified means.
The attacker deploys or leverages an existing RMM tool on the compromised host.
The RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).
The DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).
The compromised host establishes a connection to the resolved IP address associated with the RMM domain.
The attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.
The attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.
The attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.

Impact

Compromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.

Recommendation

Deploy the Sigma rule “DNS Queries to Known RMM Domains from Non-Browser Processes” to your SIEM and tune the RMM domain list for your environment.
Investigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.
Implement application control policies to restrict the execution of unauthorized RMM tools.
Enable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.
Correlate with other alerts to identify potential compromises.
Review process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.

RMM Domain DNS Queries from Non-Browser Processes

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.

Attack Chain

An attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.
The attacker installs an unauthorized RMM tool (e.g., using a script or installer).
The RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).
The system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.
The attacker uses the RMM tool to execute commands on the compromised system.
The attacker uses the RMM tool for lateral movement within the network.
The attacker uses the RMM tool to maintain persistence on the compromised system.

Impact

Compromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker’s ability to move laterally.

Recommendation

Deploy the Sigma rule RMM Domain DNS Queries from Non-Browser Processes to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.
Investigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule’s description.
Monitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.
Enable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the “Setup” section of the content.

Remote Management Access Launch After MSI Install

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies a suspicious sequence of events where an MSI installer is executed, followed by the launch of remote management software (RMM) such as ScreenConnect, Syncro, or VNC. Attackers may leverage this technique to gain unauthorized access to systems by first installing malicious software via an MSI package, and then using the RMM software to establish a remote connection. The rule specifically looks for msiexec.exe being run with an install argument (/i) followed by the execution of known RMM tools within a short timeframe. This behavior is often indicative of malicious actors attempting to establish persistent remote access to compromised machines. The detection is designed for Windows environments and covers a range of data sources including Elastic Defend, Sysmon, SentinelOne, Microsoft Defender XDR, and Crowdstrike.

Attack Chain

An attacker gains initial access to a system through various means (e.g., social engineering, compromised website, or existing malware).
The attacker deploys a malicious MSI installer to the victim machine. This can be done through phishing attachments or drive-by downloads.
The user executes the MSI installer (msiexec.exe) with an installation argument (/i or -i). The parent process is typically explorer.exe or sihost.exe, indicating user-initiated installation.
The MSI installer executes, potentially installing malware or modifying system settings.
Within one minute of the MSI installation, a remote management software (RMM) client is launched, such as ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, or winvnc.exe.
The RMM client attempts to establish an outbound connection to a remote server controlled by the attacker, often using pre-configured access keys.
The attacker gains remote access to the compromised system via the RMM client. In the case of ScreenConnect, the attacker may use a guest link with a known session key.
The attacker performs malicious activities, such as data exfiltration, lateral movement, or installing additional malware.

Impact

Successful exploitation allows attackers to gain persistent remote access to compromised systems. This can lead to data theft, financial fraud, or disruption of services. Depending on the scope of the initial access, the attacker may be able to move laterally within the network, compromising additional systems. The use of RMM software can mask malicious activity as legitimate remote support, making detection more difficult.

Recommendation

Enable process creation logging via Sysmon or Windows Security Event Logs to capture the execution of msiexec.exe and RMM tools.
Deploy the “Remote Management Access Launch After MSI Install” Sigma rule to your SIEM and tune the timeframe (maxspan) to suit your environment.
Investigate any alerts generated by this rule, focusing on the source of the MSI file and the destination of the RMM connection.
Block the execution of unauthorized RMM software on your network based on process name, as identified in the rule (ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, winvnc.exe).
Monitor network connections for RMM software connecting to unusual or external IPs.

Remote File Download via Desktopimgdownldr Utility

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The desktopimgdownldr.exe utility, a legitimate Windows tool for configuring lock screen and desktop images, can be misused by adversaries to download arbitrary files from remote locations. This is achieved by leveraging the /lockscreenurl argument followed by an HTTP or HTTPS URL. This technique allows attackers to bypass traditional download restrictions and can be used to retrieve malicious payloads, tools, or scripts directly onto a compromised system. This method is particularly effective because desktopimgdownldr.exe is a signed Microsoft binary, potentially evading initial detection based on process name or file reputation. The detection rule was initially created in September 2020 and updated in May 2026. This technique is valuable for attackers seeking to transfer files without using common tools like certutil, powershell, or bitsadmin.

Attack Chain

The attacker gains initial access to the target system through an existing vulnerability, credential compromise, or social engineering.
The attacker executes desktopimgdownldr.exe with the /lockscreenurl argument, specifying a URL from which to download a malicious file.
desktopimgdownldr.exe initiates an HTTP or HTTPS request to the specified URL.
The remote server responds with the file content, which desktopimgdownldr.exe saves to disk.
The attacker then executes the downloaded file (e.g., a malicious script or executable).
The malicious code performs actions such as establishing persistence, escalating privileges, or deploying further malware.
The attacker uses the compromised system to move laterally within the network, accessing sensitive data and systems.
The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.

Impact

Successful exploitation allows attackers to download and execute arbitrary files on a Windows system, leading to potential compromise of the host and the network. This can result in data theft, system damage, or ransomware infection. Due to the legitimate nature of the desktopimgdownldr.exe utility, this technique can bypass security controls and detection mechanisms, increasing the likelihood of successful exploitation. While the exact number of victims is unknown, any Windows system where an attacker can execute commands is potentially vulnerable.

Recommendation

Deploy the Sigma rule “Remote File Download via Desktopimgdownldr Utility” to your SIEM to detect the execution of desktopimgdownldr.exe with the /lockscreenurl argument.
Monitor process creation events for desktopimgdownldr.exe to identify suspicious command-line arguments.
Enable Sysmon process creation logging to ensure sufficient data is available for the provided Sigma rules.
Investigate any instances of desktopimgdownldr.exe downloading files from external URLs to determine if they are malicious.
Implement application control policies to restrict the execution of unauthorized or unknown executables in sensitive environments.

Potential DNS Tunneling via NsLookup

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers can abuse DNS protocol for command and control and/or data exfiltration by exploiting network rules that allow DNS communication with external resources. This technique, known as DNS tunneling, involves encoding data within DNS queries to transmit commands, malicious files, or exfiltrate sensitive information to attacker-controlled DNS servers. Detection focuses on identifying anomalous patterns of nslookup.exe usage, specifically a high volume of executions with explicit query types originating from a single host within a short timeframe. This activity may bypass traditional security controls that monitor standard network traffic, enabling covert communication channels.

Attack Chain

The attacker compromises a host within the network.
The attacker executes nslookup.exe to perform DNS queries with specific query types (e.g., -querytype=TXT, -qt=A).
The attacker encodes data (commands, files, or exfiltrated data) into the DNS query.
The compromised host sends multiple DNS requests to a rogue DNS server controlled by the attacker.
The attacker receives the DNS queries and decodes the data.
The attacker uses the tunneled command to further compromise the internal network.
The attacker exfiltrates data to the attacker-controlled server.

Impact

Successful DNS tunneling allows attackers to establish covert communication channels, bypassing traditional security measures. This can lead to command and control of compromised systems, exfiltration of sensitive data, and further propagation within the network. The impact includes potential data breaches, system compromise, and prolonged attacker presence due to the difficulty in detecting covert DNS traffic.

Recommendation

Deploy the Sigma rule “Suspicious Nslookup DNS Tunneling Activity” to your SIEM to detect potential DNS tunneling attempts.
Enable Sysmon process creation logging (Event ID 1) to capture nslookup.exe executions and their command-line arguments.
Inspect network traffic logs for unusually high volumes of DNS queries originating from individual hosts.
Monitor DNS query logs for encoded or unusual data patterns within DNS query names.

Multiple Remote Management Tool Vendors on Same Host

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is “now-9m”, and the rule triggers if two or more different vendors are detected.

Attack Chain

Initial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.
Tool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.
Persistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.
Lateral Movement: The attacker uses the initial access to discover other systems on the network.
Additional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.
Privilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.
Remote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.
Data Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.

Impact

A successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker’s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.

Recommendation

Deploy the Sigma rule Multiple RMM Vendors on Same Host to your SIEM and tune for your environment.
Investigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check Esql.vendors_seen and Esql.processes_name_values for insight into the involved tools.
Review asset inventory and change tickets to verify authorized RMM software installations.
Isolate any unauthorized or unexplained hosts and remove unapproved RMM tools.
Enforce a single approved RMM stack per asset class where possible.
Enable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule’s setup instructions.

Ingress Transfer via Windows BITS

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The Windows Background Intelligent Transfer Service (BITS) is a legitimate Windows service that allows for prioritized, asynchronous, and throttled transfer of files between a client and a server. Adversaries abuse BITS to download malicious payloads while evading typical security protections, as file transfers occur in the context of the svchost.exe process. This activity can obscure the origin of the download and bypass application whitelisting rules. This detection focuses on identifying file rename events where svchost.exe renames temporary BITS files (BIT*.tmp) to executable or archive file types, indicating a potential malicious download via BITS. This technique is commonly employed to deliver malware, exfiltrate data, or download additional tools.

Attack Chain

An attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).
The attacker uses a script or command-line interface (e.g., PowerShell) to create a BITS job.
The BITS job is configured to download a malicious executable or archive from a remote server using the bitsadmin.exe utility.
BITS downloads the file to a temporary location on the system with a BIT*.tmp extension.
The svchost.exe process renames the temporary file to its final name and extension (e.g., .exe, .zip).
The attacker executes the downloaded file, initiating further malicious activities.
The malware establishes persistence through registry keys or scheduled tasks.
The malware communicates with a command and control (C2) server to receive instructions and exfiltrate data.

Impact

Successful exploitation enables attackers to download and execute arbitrary code on compromised systems. The use of BITS can bypass traditional security measures, leading to malware infections, data theft, and potentially full system compromise. This technique can be used in conjunction with other attack vectors to establish a persistent foothold within the network. While the rule itself triggers at low severity, the identified activity can be an early warning of more severe attack stages.

Recommendation

Deploy the “Ingress Transfer via Windows BITS” Sigma rule to your SIEM and tune for your environment.
Enable Sysmon file creation and process creation logging to enhance visibility into BITS-related activities.
Monitor network connections initiated by svchost.exe to identify potentially malicious downloads.
Investigate any instances of bitsadmin.exe being executed, especially with command-line arguments indicative of suspicious downloads.
Review Microsoft-Windows-Bits-Client/Operational Windows logs (event ID 59) for unusual BITS events.
Block known malicious domains or IP addresses associated with BITS-related attacks at the firewall or DNS resolver.

Suspicious DNS Queries to Telegram API by Non-Telegram Processes

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This alert identifies systems querying the Telegram API domain (api.telegram.org) using processes other than the legitimate Telegram application. Threat actors frequently leverage Telegram bots for C2, due to their ease of use, encryption, and widespread availability. Malware can use these bots to receive commands, exfiltrate data, or perform other malicious activities. Detecting DNS queries for Telegram’s API from unexpected processes can uncover compromised systems or unauthorized use of Telegram for covert communication. The detection focuses on non-standard Telegram clients resolving the api.telegram.org domain to filter out legitimate Telegram application traffic and focus on suspicious processes.

Attack Chain

A user inadvertently downloads and executes a malicious payload (e.g., via phishing or drive-by download).
The malware establishes persistence on the system (e.g., via registry keys or scheduled tasks).
The malware initiates a DNS query to resolve api.telegram.org to identify the Telegram API server IP address.
The malware establishes a communication channel with a Telegram bot controlled by the attacker using the resolved IP address.
The attacker sends commands to the bot, which are relayed to the compromised system.
The malware executes the received commands, potentially including data exfiltration or further malicious actions.
The malware exfiltrates sensitive data to the attacker via the Telegram bot.
The attacker maintains persistent access and control over the compromised system via the Telegram bot.

Impact

Compromised systems can be remotely controlled by attackers, leading to data theft, system disruption, or further propagation of malware within the network. The use of Telegram bots enables covert communication, making it difficult to detect malicious activity using traditional methods. Multiple threat actors employ Telegram-based C2, including those associated with information stealers, keyloggers, and crypto-mining malware. A successful attack can lead to significant data breaches and financial losses.

Recommendation

Deploy the Sigma rule Detect Suspicious Telegram DNS Queries to your SIEM to identify processes making DNS queries to the Telegram API (api.telegram.org) other than the legitimate Telegram application.
Investigate any alerts generated by the Sigma rule by examining the process execution history, network connections, and related system activity.
Block the domain api.telegram.org at the DNS resolver or firewall to prevent compromised systems from communicating with Telegram bots, unless legitimate business use requires it.
Enable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events on endpoints.
Update Sysmon to at least version 6.0.4 to ensure comprehensive DNS event logging.

Remote File Copy via TeamViewer

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

Attackers sometimes transfer malicious tools into a compromised environment using the command and control channel, but they also abuse legitimate utilities like TeamViewer to drop these files. TeamViewer is a remote access and control tool frequently used by help desks and system administrators for support activities; however, attackers and scammers also leverage it to deploy malware and conduct other malicious activities. This detection identifies instances of the TeamViewer process creating files with suspicious extensions on Windows systems, indicating potential misuse of the tool for unauthorized file transfers. The rule is designed to detect suspicious remote file copies during TeamViewer sessions, focusing on files with extensions commonly associated with executables and scripts.

Attack Chain

An attacker gains initial access to a system through various means.
The attacker installs or leverages an existing TeamViewer instance on the compromised system.
The attacker establishes a remote connection to the compromised system using TeamViewer.
The attacker initiates a file transfer session within TeamViewer.
The attacker transfers a malicious executable or script file (e.g., .exe, .dll, .ps1) to the compromised system.
The transferred file is saved to a location on the compromised system.
The attacker executes the transferred file, leading to further malicious activities such as malware installation or command execution.
The attacker performs post-exploitation activities, like lateral movement or data exfiltration.

Impact

Successful exploitation via remote file copy can lead to the introduction of malware into the targeted environment, potentially compromising sensitive data and causing significant operational disruption. The severity of the impact depends on the nature of the transferred file and the subsequent actions performed by the attacker.

Recommendation

Deploy the Sigma rule TeamViewer Remote File Copy to your SIEM and tune for your environment.
Investigate any alerts generated by this rule by examining process execution chains and file origins.
Block the file extensions listed in the file.extension field in the query at the network level to prevent the transfer of potentially malicious files.
Enable Elastic Defend or SentinelOne Cloud Funnel to collect the necessary file creation events to trigger the detection.
Review TeamViewer usage within your organization and restrict its use to authorized personnel only.

MpCmdRun.exe Used for Remote File Download

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

Attackers are leveraging the built-in Windows Defender command-line utility, MpCmdRun.exe, to download files from remote locations. This technique allows attackers to bypass traditional download restrictions and blend in with legitimate system activity. The MpCmdRun.exe utility is normally used to manage Windows Defender settings and perform tasks such as signature updates and scans. However, its -DownloadFile parameter can be abused to download arbitrary files from a specified URL. This activity was first publicly reported around September 2020. Defenders should monitor for unusual usage patterns of MpCmdRun.exe, especially those involving command-line arguments related to file downloads from external sources.

Attack Chain

An attacker gains initial access to a target system through an unrelated vulnerability or existing compromise.
The attacker uses MpCmdRun.exe to download a file from a remote server. The command includes arguments like -DownloadFile, -url, and -path to specify the download location and save path.
The downloaded file is saved to a location on the compromised system.
The attacker executes the downloaded file. This could be a malicious executable, a script, or a configuration file.
The executed file performs further malicious actions on the system, such as establishing persistence, escalating privileges, or deploying additional payloads.
The attacker uses the compromised system as a foothold to move laterally within the network, compromising other systems and resources.
The attacker achieves their ultimate objective, such as data exfiltration, ransomware deployment, or disruption of services.

Impact

Successful exploitation allows attackers to introduce arbitrary malicious code into the system, potentially leading to a wide range of adverse effects, including data theft, system compromise, and disruption of operations. While individual cases may be limited in scope, widespread exploitation could impact numerous organizations, resulting in significant financial losses and reputational damage. The use of a trusted system utility makes this technique harder to detect using traditional methods.

Recommendation

Deploy the Sigma rule MpCmdRun Remote File Download to your SIEM to detect the malicious use of MpCmdRun.exe for downloading files.
Enable Sysmon process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function.
Review historical process execution logs for instances of MpCmdRun.exe being used with the -DownloadFile parameter.
Implement application control policies to restrict the execution of unsigned or untrusted executables downloaded by MpCmdRun.exe.

Suspicious Command Prompt Network Connection

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This detection identifies suspicious network connections initiated by the command prompt (cmd.exe) on Windows systems. The rule focuses on cmd.exe processes executed with specific arguments, such as those indicating script execution (e.g., *.bat, *.cmd), access to remote resources (e.g., URLs), or those spawned by Microsoft Office applications (Excel, Word, etc.). Attackers frequently abuse cmd.exe to download malicious payloads, execute commands, or establish command and control channels. This detection aims to identify such potentially malicious activity by correlating process creation events with subsequent network connections. The rule excludes common private and reserved IP address ranges to reduce false positives. The targeted systems are Windows endpoints where adversaries attempt to leverage cmd.exe for malicious purposes.

Attack Chain

A user opens a malicious document (e.g., Word, Excel) or executes a seemingly benign application.
The document or application contains a macro or script that initiates a cmd.exe process.
The cmd.exe process is launched with arguments indicating script execution (/c, /k) and referencing a remote resource (e.g., a URL) or a local batch file.
The cmd.exe process attempts to download a payload from a remote server using protocols like HTTP, HTTPS, or FTP.
The downloaded payload is saved to disk, often with a disguised filename.
The cmd.exe process executes the downloaded payload, initiating further malicious actions.
The malicious payload establishes a command and control (C2) channel with a remote server.
The attacker uses the C2 channel to send commands to the compromised system, potentially leading to data exfiltration or other malicious activities.

Impact

Successful exploitation can lead to the compromise of Windows endpoints, potentially enabling attackers to download and execute malicious payloads, establish command and control channels, and perform further malicious activities such as data theft, lateral movement, or ransomware deployment. While this detection has a low severity, it serves as an early warning sign of potential compromise and should be investigated promptly.

Recommendation

Enable process creation logging with command line arguments to capture the full context of cmd.exe executions.
Monitor network connections from cmd.exe processes, focusing on connections to external IP addresses, using a network monitoring solution.
Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious cmd.exe network connections.
Investigate any alerts generated by the Sigma rules, focusing on cmd.exe processes spawned by Office applications or those executing scripts from remote URLs.

Potential Protocol Tunneling via Yuze

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This rule detects the execution of Yuze, an open-source tunneling tool written in C, which is commonly used for intranet penetration. Yuze supports both forward and reverse SOCKS5 proxy tunneling and is often executed using rundll32 to load yuze.dll with the RunYuze export. Threat actors can leverage Yuze to proxy command and control (C2) communications or to pivot within a network. The detection focuses on identifying processes with command-line arguments indicative of Yuze execution, specifically those involving “reverse,” “-c,” “proxy,” “fwd,” and “-l” parameters. This activity has been observed in real-world campaigns, increasing the importance of timely detection and response.

Attack Chain

The attacker gains initial access to a target system through various means (e.g., phishing, exploitation of vulnerabilities).
The attacker uploads or drops the yuze.dll file onto the compromised host.
The attacker uses rundll32.exe to execute yuze.dll, calling the RunYuze export.
The command line includes parameters to establish a reverse or forward SOCKS5 proxy tunnel (e.g., rundll32 yuze.dll,RunYuze reverse -c :).
Yuze establishes a tunnel to a remote server, allowing the attacker to proxy network traffic.
The attacker uses the established tunnel to pivot within the network and access internal resources.
The attacker may proxy C2 traffic through the tunnel, masking the true origin of the commands.
The attacker performs actions on the internal network, such as data exfiltration or lateral movement, using the tunnel as a covert channel.

Impact

Successful exploitation allows attackers to establish covert communication channels, bypass network security controls, and proxy malicious traffic, potentially leading to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. The use of Yuze can obscure the origin of attacks, making attribution more difficult and hindering incident response efforts.

Recommendation

Deploy the Sigma rule “Potential Yuze Tunneling via Rundll32” to your SIEM to detect the execution of yuze.dll via rundll32.exe with specific command-line arguments.
Enable process creation logging (Sysmon Event ID 1 or Windows Security Auditing) to capture the necessary command-line information for the Sigma rules.
Investigate any identified instances of rundll32.exe executing yuze.dll, focusing on the parent processes and network connections.
Block the C2/relay IP or domain found in the -c argument at DNS/firewall, as described in the Triage and Analysis section of the rule’s note.

Multiple Remote Management Tool Vendors on Same Host

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.

Attack Chain

Initial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.
Tool Deployment: The attacker deploys an initial RMM tool for remote access and control.
Secondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.
Privilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.
Lateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.
Data Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.

Impact

A successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.

Recommendation

Deploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.
Investigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.
Enforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.
Tune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.
Review asset inventory and change tickets for approved RMM software to identify unauthorized installations.

Large ICMP Traffic Detection

hello@craftedsignal.io — Tue, 02 Jan 2024 10:00:00 +0000

This detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.

Attack Chain

An attacker compromises a host within the network.
The compromised host initiates ICMP traffic to an external IP address.
The ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.
The attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.
The compromised host uses ICMP for command and control, receiving instructions from the external attacker.
The attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.
Sensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.

Impact

Successful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.

Recommendation

Deploy the Sigma rule Detect Large ICMP Traffic to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.
Investigate any alerts generated by the Detect Large ICMP Traffic rule, focusing on the source and destination IPs involved.
Examine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.
Utilize the provided search View the detection results to review related events and potential lateral movement.
Implement the provided search View risk events to look at risk factors for the involved assets.