{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/defense-evasion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-31892"}],"_cs_exploited":false,"_cs_products":["argo-workflows"],"_cs_severities":["high"],"_cs_tags":["argo-workflows","kubernetes","privilege-escalation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Argo"],"content_html":"\u003cp\u003eArgo Workflows, a Kubernetes-native workflow engine, contains an incomplete fix for CVE-2026-31892. The initial patch blocked \u003ccode\u003epodSpecPatch\u003c/code\u003e modifications when \u003ccode\u003etemplateReferencing: Strict\u003c/code\u003e was active. However, other fields within the WorkflowSpec that influence pod creation, such as \u003ccode\u003ehostNetwork\u003c/code\u003e, \u003ccode\u003eserviceAccountName\u003c/code\u003e, and \u003ccode\u003esecurityContext\u003c/code\u003e, were not restricted. This allows a malicious user to bypass intended security controls and potentially escalate privileges within the Kubernetes cluster. Versions affected include those supporting the \u003ccode\u003etemplateReferencing\u003c/code\u003e feature, specifically v4.0.2 and v3.7.11, which include the initial fix for CVE-2026-31892 but are still vulnerable to this bypass. This vulnerability exists because the check in \u003ccode\u003esetExecWorkflow\u003c/code\u003e only validates \u003ccode\u003eHasPodSpecPatch()\u003c/code\u003e, while other critical fields are applied directly to the pod specification. The bypass affects both \u003ccode\u003eStrict\u003c/code\u003e and \u003ccode\u003eSecure\u003c/code\u003e modes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains \u003ccode\u003ecreate Workflow\u003c/code\u003e permission within the Argo Workflows environment.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a Workflow manifest that references a hardened WorkflowTemplate.\u003c/li\u003e\n\u003cli\u003eAttacker sets \u003ccode\u003ehostNetwork: true\u003c/code\u003e (or other vulnerable fields like \u003ccode\u003esecurityContext\u003c/code\u003e, \u003ccode\u003eserviceAccountName\u003c/code\u003e, \u003ccode\u003etolerations\u003c/code\u003e, or \u003ccode\u003eautomountServiceAccountToken\u003c/code\u003e) in the Workflow manifest.\u003c/li\u003e\n\u003cli\u003eThe Workflow is submitted, and the \u003ccode\u003esetExecWorkflow\u003c/code\u003e function in the Argo controller only checks for \u003ccode\u003epodSpecPatch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation, the user-defined \u003ccode\u003ehostNetwork: true\u003c/code\u003e (or other vulnerable fields) is merged with the WorkflowTemplate specification.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreateWorkflowPod\u003c/code\u003e function reads the merged specification and applies the \u003ccode\u003ehostNetwork: true\u003c/code\u003e setting directly to the pod specification, bypassing the intended restrictions.\u003c/li\u003e\n\u003cli\u003eA pod is created with host networking enabled, granting the container access to the host\u0026rsquo;s network namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access sensitive information or perform actions on the network as if they were running directly on the host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to bypass the intended security restrictions imposed by Argo Workflows\u0026rsquo; \u003ccode\u003etemplateReferencing\u003c/code\u003e feature. This can lead to privilege escalation, unauthorized access to network resources, and the potential to compromise other containers or nodes within the Kubernetes cluster. The impact is most significant in clusters that rely on Argo\u0026rsquo;s Strict mode as the primary enforcement layer, as other Kubernetes-level controls like PodSecurity admission or OPA/Gatekeeper may not be in place to mitigate these bypasses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eArgo Workflow Host Network Bypass\u003c/code\u003e to detect workflows attempting to set \u003ccode\u003ehostNetwork: true\u003c/code\u003e, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eArgo Workflow Service Account Override\u003c/code\u003e to detect workflows attempting to override the service account.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Argo Workflows that addresses CVE-2026-42296, ensuring that all WorkflowSpec fields that influence pod security posture are validated.\u003c/li\u003e\n\u003cli\u003eImplement Kubernetes-level controls, such as PodSecurity admission or OPA/Gatekeeper, to provide an additional layer of defense against unauthorized pod specification modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T20:11:38Z","date_published":"2026-05-04T20:11:38Z","id":"/briefs/2026-05-argo-workflow-bypass/","summary":"Argo Workflows has an incomplete fix for CVE-2026-31892, allowing bypass of templateReferencing restrictions to modify pod specifications, leading to potential privilege escalation and security context overrides.","title":"Argo Workflows Template Referencing Restriction Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-argo-workflow-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Intune Management Extension","Azure AD Connect Health Agent","Windows Defender Advanced Threat Protection"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently employ PowerShell obfuscation techniques to evade detection and hinder analysis. These techniques involve encoding, encrypting, or compressing PowerShell scripts to mask their true intent. This detection identifies PowerShell script blocks exhibiting high entropy and non-uniform character distributions, statistical characteristics often associated with obfuscated content. The rule specifically targets script blocks longer than 1000 characters with entropy bits \u0026gt;= 5.5 and surprisal standard deviation \u0026gt; 0.7. This detection is designed to highlight potentially malicious PowerShell activity that warrants further investigation by security analysts and incident responders. This rule was created by Elastic and last updated on May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell, a built-in Windows scripting language, to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses obfuscation techniques (encoding, encryption, compression) to disguise the PowerShell script\u0026rsquo;s true intent.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed, bypassing basic signature-based detections.\u003c/li\u003e\n\u003cli\u003eThe script may download and execute additional payloads or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using obfuscated PowerShell can lead to various negative impacts, including data breaches, system compromise, and disruption of services. The low severity reflects the need for further analysis to confirm malicious intent, given potential false positives from legitimate encoded scripts. While the exact number of affected systems and sectors is unknown, the widespread use of PowerShell makes this a potentially significant threat across many organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events (4104) as outlined in the setup instructions: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the thresholds (\u003ccode\u003epowershell.file.script_block_length\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_entropy_bits\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_surprisal_stdev\u003c/code\u003e) based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on execution context (\u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003ehost.name\u003c/code\u003e), script provenance (\u003ccode\u003efile.path\u003c/code\u003e), and reconstructed script content (\u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section for detailed triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:49:36Z","date_published":"2026-05-04T14:49:36Z","id":"/briefs/2026-06-high-entropy-powershell/","summary":"This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.","title":"Potential PowerShell Obfuscated Script via High Entropy","url":"https://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon Registry Events","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["port-forwarding","registry-modification","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may configure port forwarding rules to bypass network segmentation restrictions, effectively using the compromised host as a jump box to access previously unreachable systems. This involves modifying the registry to redirect incoming TCP connections from a local port to another port or a remote computer. The technique is typically employed post-compromise to facilitate lateral movement and maintain unauthorized access within the network. This activity is detected by monitoring changes to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command-line interface (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e) with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e cmdlet to modify the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a new port forwarding rule by creating a new subkey under \u003ccode\u003ev4tov4\\\u003c/code\u003e with specific settings for the local port, remote address, and remote port.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eListenAddress\u003c/code\u003e, \u003ccode\u003eListenPort\u003c/code\u003e, \u003ccode\u003eConnectAddress\u003c/code\u003e, and \u003ccode\u003eConnectPort\u003c/code\u003e values within the new subkey.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful creation and activation of the port forwarding rule using \u003ccode\u003enetsh interface portproxy show v4tov4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created port forwarding rule to tunnel traffic through the compromised host, bypassing network segmentation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the proxied connection to access internal resources and conduct further attacks, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass network segmentation restrictions, leading to unauthorized access to internal systems and data. This can facilitate lateral movement, data exfiltration, and further compromise of the network. The severity of the impact depends on the sensitivity of the accessible resources and the extent of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys, enabling detection of malicious port forwarding rule additions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Port Forwarding Rule Addition via Registry Modification\u0026rdquo; to your SIEM to detect suspicious registry modifications related to port forwarding.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process execution chain and the user account that performed the action.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing port forwarding rules to identify and remove any unauthorized or suspicious configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-port-forwarding-registry/","summary":"An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.","title":"Windows Port Forwarding Rule Addition via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-port-forwarding-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Zoom.exe, potentially indicating an attempt to evade detection or exploit vulnerabilities within the Zoom application. The rule focuses on detecting instances where command interpreters like cmd.exe, PowerShell, or PowerShell ISE are launched as child processes of Zoom. This behavior can be indicative of an attacker attempting to execute malicious commands or scripts within the context of the Zoom application, potentially escalating privileges or gaining unauthorized access to system resources. It\u0026rsquo;s crucial for defenders to investigate such occurrences, as they may signify ongoing exploitation or malicious activity leveraging Zoom as an initial access vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches the Zoom application (Zoom.exe).\u003c/li\u003e\n\u003cli\u003eA vulnerability in Zoom is exploited, or the user is socially engineered into running a malicious command.\u003c/li\u003e\n\u003cli\u003eZoom.exe spawns a child process, such as cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands or scripts, potentially downloading or executing malware.\u003c/li\u003e\n\u003cli\u003eThe malicious script or command performs reconnaissance activities on the system.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to execute arbitrary commands, escalate privileges, and compromise the affected system. Depending on the user\u0026rsquo;s privileges, attackers could gain access to sensitive data, install malware, or pivot to other systems on the network. The impact ranges from data breaches to complete system compromise, potentially affecting all users within the organization who utilize the Zoom application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Zoom Child Process\u0026rdquo; to your SIEM to detect command interpreters spawned by Zoom.exe. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, which is essential for the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments and network connections of the spawned processes.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for process creation events related to Zoom.exe and its child processes to identify suspicious behavior.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of unauthorized processes within the Zoom application context.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-suspicious-zoom-child-process/","summary":"A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.","title":"Suspicious Zoom Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-11-suspicious-zoom-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["lolbas","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThe Windows command line debugging utility, cdb.exe, is a legitimate tool used for debugging applications. However, adversaries can exploit it to execute unauthorized commands or shellcode, bypassing security measures. This can be achieved by running cdb.exe from non-standard installation paths and using specific command-line arguments to execute malicious commands. The LOLBAS project documents this technique, highlighting its potential for defense evasion. This activity has been observed across various environments, necessitating detection strategies that focus on identifying anomalous executions of cdb.exe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies cdb.exe to a non-standard location (outside \u0026ldquo;Program Files\u0026rdquo; and \u0026ldquo;Program Files (x86)\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker executes cdb.exe with the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, or \u003ccode\u003e-pd\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eThese arguments are used to specify a command file or execute a direct command.\u003c/li\u003e\n\u003cli\u003eThe command file or command directly executes malicious code, such as shellcode.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as creating new processes, modifying files, or establishing network connections.\u003c/li\u003e\n\u003cli\u003eThese actions allow the attacker to maintain persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to evade defenses and execute arbitrary code on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute arbitrary commands and shellcode on the affected system, potentially leading to complete system compromise. This can result in data theft, installation of malware, or further propagation within the network. The technique is effective at bypassing application whitelisting and other security controls that rely on standard execution paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution via Windows Command Debugging Utility\u0026rdquo; to your SIEM to detect suspicious cdb.exe executions (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent execution of cdb.exe from non-standard paths.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, and \u003ccode\u003e-pd\u003c/code\u003e flags when cdb.exe is executed.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of cdb.exe running from unusual directories to determine legitimacy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-cdb-execution/","summary":"Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.","title":"Suspicious Execution via Windows Command Debugging Utility","url":"https://feed.craftedsignal.io/briefs/2024-07-cdb-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to Subject Interface Package (SIP) providers, a critical component of the Windows cryptographic system responsible for validating file signatures. Attackers may attempt to subvert trust controls by modifying SIP providers, allowing them to bypass signature validation checks and potentially inject malicious code into trusted processes. This activity is a form of defense evasion, allowing unauthorized code execution. The rule focuses on detecting suspicious registry changes associated with SIP providers, while excluding known benign processes to minimize false positives. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon. This activity is related to MITRE ATT\u0026amp;CK technique T1553.003 (SIP and Trust Provider Hijacking).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry keys associated with SIP providers, specifically targeting \u003ccode\u003eCryptSIPDllPutSignedDataMsg\u003c/code\u003e and \u003ccode\u003eTrust\\\\FinalPolicy\u003c/code\u003e locations.\u003c/li\u003e\n\u003cli\u003eThe attacker changes the \u003ccode\u003eDll\u003c/code\u003e value within these registry keys to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe system, upon attempting to validate a file signature, loads the malicious DLL instead of the legitimate SIP provider.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code, potentially injecting it into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the injected code to further compromise the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of SIP providers allows attackers to bypass signature validation checks, leading to the execution of unsigned or malicious code. This can compromise the integrity of the system, leading to data breaches, system instability, or further propagation of malware within the network. The impact can range from individual workstation compromise to widespread organizational damage, depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SIP Provider Modification via Registry\u003c/code\u003e to your SIEM and tune it for your environment to detect suspicious registry modifications related to SIP providers.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rules, focusing on the process responsible for the registry change and the DLL being loaded, as described in the rule\u0026rsquo;s triage section.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted code.\u003c/li\u003e\n\u003cli\u003eMonitor the registry paths listed in the Sigma rules for unexpected changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-sip-provider-modification/","summary":"This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.","title":"SIP Provider Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-sip-provider-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the modification of Discretionary Access Control Lists (DACLs) for Windows services using the \u003ccode\u003esc.exe\u003c/code\u003e utility. Attackers can leverage this technique to deny access to a service, making it unmanageable or hiding it from system administrators and users. The detection rule focuses on identifying instances where \u003ccode\u003esc.exe\u003c/code\u003e is used with the \u003ccode\u003esdset\u003c/code\u003e argument, specifically targeting the denial of access for key user groups such as IU, SU, BA, SY, and WD. This activity is indicative of a defense evasion attempt aimed at hindering security tools or preventing remediation. The rule is designed for data generated by Elastic Defend, but also supports integrations with third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, offering broad coverage for detecting this malicious behavior across diverse environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions to modify service configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003esdset\u003c/code\u003e command to modify the DACL of a targeted service.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esdset\u003c/code\u003e command arguments specify the new security descriptor, denying access to specific user groups (e.g., IU, SU, BA, SY, WD).\u003c/li\u003e\n\u003cli\u003eThe service becomes inaccessible to the targeted user groups, potentially disrupting legitimate operations or security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process for multiple services to further impair system functionality or evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled or hidden services to maintain persistence or carry out other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of service DACLs can lead to a denial-of-service condition for legitimate users and system administrators. This can impair the functionality of critical security tools, hinder incident response efforts, and provide attackers with a persistent foothold on the compromised system. The hiding of services can also prevent users from identifying and removing malicious services. While the number of victims is not specified in the source, organizations across various sectors are potentially vulnerable to this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eService DACL Modification via sc.exe\u003c/code\u003e to your SIEM to detect this specific behavior.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003esc.exe\u003c/code\u003e is used with the \u003ccode\u003esdset\u003c/code\u003e argument and access denial flags, focusing on the targeted user groups (IU, SU, BA, SY, WD).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitor for unauthorized attempts to modify service configurations.\u003c/li\u003e\n\u003cli\u003eRegularly audit service permissions to identify and remediate any unauthorized changes.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-service-dacl-modification/","summary":"Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.","title":"Service DACL Modification via sc.exe","url":"https://feed.craftedsignal.io/briefs/2024-07-service-dacl-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["low"],"_cs_tags":["defense evasion","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Sysinternals SDelete utility is a legitimate tool developed by Microsoft for securely deleting files by overwriting and renaming them multiple times. While intended for secure data disposal, adversaries can abuse SDelete to remove forensic artifacts, destroy evidence of their activities, and impede data recovery efforts after a successful ransomware attack or data theft. This activity can be used as a post-exploitation technique. This detection rule focuses on identifying file name patterns indicative of SDelete\u0026rsquo;s operation, specifically detecting files with names resembling \u0026ldquo;*AAA.AAA\u0026rdquo;. The rule is designed to work with various endpoint detection and response solutions, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and CrowdStrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain the necessary permissions to delete files.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or utilizes an existing copy of the SDelete utility.\u003c/li\u003e\n\u003cli\u003eThe attacker executes SDelete against targeted files or directories.\u003c/li\u003e\n\u003cli\u003eSDelete overwrites the targeted file(s) multiple times with random data.\u003c/li\u003e\n\u003cli\u003eSDelete renames the file(s) multiple times, often with patterns such as \u0026ldquo;*AAA.AAA\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eSDelete deletes the file(s) making recovery difficult.\u003c/li\u003e\n\u003cli\u003eThe attacker removes SDelete or any associated tools to further cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can result in the permanent deletion of crucial forensic artifacts, log files, or even critical data. This can severely hinder incident response efforts, making it challenging to identify the scope of the attack, the attacker\u0026rsquo;s methods, and the compromised assets. The number of victims and affected sectors depends on the scale of the initial breach and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Secure File Deletion via SDelete Utility\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule, focusing on the process execution chain and identifying the user account involved.\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to the user account to ensure the least privilege principle is followed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to enhance visibility into file creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-28-sdelete-filename-rename/","summary":"This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.","title":"Potential Secure File Deletion via SDelete Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-28-sdelete-filename-rename/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Installer"],"_cs_severities":["low"],"_cs_tags":["msiexec","remote-file-execution","initial-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a built-in Windows component used for installing, modifying, and removing software. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files, bypassing security controls and potentially leading to initial access or defense evasion. This activity is often part of a broader attack chain, used to deliver and execute malicious payloads. The detection rule provided by Elastic identifies suspicious msiexec.exe activity by monitoring process starts, network connections, and child processes. It filters out known benign signatures and paths to highlight potential misuse. This detection is designed to work with Elastic Defend data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via phishing (T1566) or other means to execute commands on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses msiexec.exe with the \u003ccode\u003e/V\u003c/code\u003e parameter to initiate the installation of a remote MSI package. This allows the attacker to bypass typical execution restrictions.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe attempts a network connection (T1105) to retrieve the remote MSI package from a malicious server.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process to handle the installation of the downloaded MSI package.\u003c/li\u003e\n\u003cli\u003eThe spawned child process executes malicious code embedded within the MSI package.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as installing malware, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system for further lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system and network. While this specific rule has a low risk score, it can be an early indicator of more serious attacks. It is crucial to investigate any alerts generated by this rule to determine the full scope and impact of the potential compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect suspicious usage of \u003ccode\u003emsiexec.exe\u003c/code\u003e to install remote packages. Tune the rule for your environment by adding exceptions for legitimate software installation processes.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and network connection logging on Windows endpoints to provide the necessary data for the Sigma rule to function effectively (Data Source: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;Possible investigation steps\u0026rdquo; section in the Elastic rule\u0026rsquo;s documentation to investigate potential false positives and legitimate uses of \u003ccode\u003emsiexec.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications, including potentially malicious MSI packages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-msiexec-remote-install/","summary":"The rule detects the execution of the built-in Windows Installer, msiexec.exe, to install a remote package potentially abused by adversaries for initial access and defense evasion.","title":"Potential Remote File Execution via MSIEXEC","url":"https://feed.craftedsignal.io/briefs/2026-05-msiexec-remote-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","ntlm","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects a specific defense evasion technique where an attacker modifies the Windows registry to force a system to use the less secure NTLMv1 authentication protocol. This is known as a NetNTLMv1 downgrade attack. The registry modification involves changing the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value, which controls the authentication level. Attackers with local administrator privileges can perform this modification to weaken the authentication mechanism, making it easier to intercept and crack credentials. The rule is designed to detect this activity by monitoring registry events from various sources, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Crowdstrike. It is important to monitor for this activity as it can lead to credential theft and further compromise of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local administrator privileges on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a registry editor or command-line tool (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value in the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to one of the following registry paths: \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel\u003c/code\u003e or \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value to \u0026ldquo;0\u0026rdquo;, \u0026ldquo;1\u0026rdquo;, or \u0026ldquo;2\u0026rdquo; (or their hexadecimal equivalents \u0026ldquo;0x00000000\u0026rdquo;, \u0026ldquo;0x00000001\u0026rdquo;, \u0026ldquo;0x00000002\u0026rdquo;). These values force the system to use NTLMv1.\u003c/li\u003e\n\u003cli\u003eThe system now uses NTLMv1 for authentication attempts.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a man-in-the-middle attack to capture NTLMv1 authentication traffic using tools like Responder or Inveigh.\u003c/li\u003e\n\u003cli\u003eThe captured NTLMv1 hashes are cracked using brute-force or dictionary attacks, revealing the user\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to network resources or other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful NetNTLMv1 downgrade attack can lead to the compromise of user credentials, enabling attackers to move laterally within the network, access sensitive data, and potentially escalate privileges. The impact can range from data breaches to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the compromised user\u0026rsquo;s privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential NetNTLMv1 Downgrade Attack\u0026rdquo; to detect registry modifications setting \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to insecure values (0, 1, 2) within the specified registry paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview registry event logs for unauthorized modifications of \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to confirm legitimate administrative actions.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit local administrator privileges and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor the references URL for updates on recommended security configurations related to NTLM authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-netntlmv1-downgrade/","summary":"This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.","title":"Potential NetNTLMv1 Downgrade Attack via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-netntlmv1-downgrade/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Filtering Platform","elastic-agent","elastic-endpoint"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-filtering-platform","endpoint-security"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Bitdefender","VMware Carbon Black","Comodo","Vectra AI","Cybereason","Cylance","Elastic","ESET","Broadcom","Fortinet","Kaspersky","Malwarebytes","McAfee","Qualys","SentinelOne","Sophos","Symantec","Trend Micro","BeyondTrust","CrowdStrike","Splunk","Tanium"],"content_html":"\u003cp\u003eThe Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., leveraging the \u003ccode\u003enetsh\u003c/code\u003e command or custom WFP API calls) to create a new WFP filter.\u003c/li\u003e\n\u003cli\u003eThe WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., \u003ccode\u003eelastic-agent.exe\u003c/code\u003e, \u003ccode\u003esysmon.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system begins blocking network communication from the targeted security software.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker\u0026rsquo;s scope and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit WFP rules to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for systems authorized to modify WFP rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-wfp-evasion/","summary":"Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.","title":"Potential Evasion via Windows Filtering Platform Blocking Security Software","url":"https://feed.craftedsignal.io/briefs/2026-05-wfp-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["WinWord.exe","EXPLORER.EXE","w3wp.exe","DISM.EXE","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","dll-side-loading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies instances of Windows trusted programs such as WinWord.exe, EXPLORER.EXE, w3wp.exe, and DISM.EXE executing from unusual paths or after being renamed, which may indicate DLL side-loading. DLL side-loading is a defense evasion technique where a malicious DLL is placed in the same directory as a legitimate executable. When the executable runs, it may load the malicious DLL instead of the legitimate one, allowing the attacker to execute arbitrary code within the context of the trusted process. The detection logic focuses on process executions that deviate from standard installation paths. The targeted processes are commonly used and often whitelisted, making this a potent technique for adversaries to bypass security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a trusted Windows program vulnerable to DLL side-loading (WinWord.exe, EXPLORER.EXE, w3wp.exe, or DISM.EXE).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL into a directory where the trusted program is expected to load DLLs from, often alongside a renamed or copied version of the legitimate executable.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker renames the trusted program and places it in a non-standard path.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed or moved trusted program from the non-standard path.\u003c/li\u003e\n\u003cli\u003eThe trusted program loads the malicious DLL due to DLL search order hijacking.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the trusted process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, elevates privileges, or performs other malicious activities, potentially evading detection due to the trusted process context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DLL side-loading attack allows the attacker to execute arbitrary code within the context of a trusted Microsoft process. This can lead to privilege escalation, persistence, and further compromise of the system. Since the malicious code is running within a trusted process, it can bypass application whitelisting and other security controls, making it difficult to detect. This can lead to data theft, system disruption, or the installation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential DLL Side-Loading via Trusted Microsoft Programs\u0026rdquo; to your SIEM to detect suspicious executions of trusted programs from non-standard paths or with modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and tune the exclusion paths in the Sigma rule to avoid false positives from legitimate software updates, custom enterprise applications, or virtual environments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution paths using the Sigma rule \u0026ldquo;Potential DLL Side-Loading via Trusted Microsoft Programs\u0026rdquo; and investigate any deviations from standard installation paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-dll-side-loading/","summary":"This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.","title":"Potential DLL Side-Loading via Trusted Microsoft Programs","url":"https://feed.craftedsignal.io/briefs/2026-05-dll-side-loading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled (set to 1), allows remote connections from local members of the Administrators group to be granted full high-integrity tokens during negotiation. This bypasses User Account Control (UAC) restrictions, allowing for elevated privileges remotely. Attackers may modify this registry setting to facilitate lateral movement within a network. This rule detects modifications to this specific registry setting, alerting on potential unauthorized changes that could lead to defense evasion and privilege escalation. The modification of this policy has been observed being leveraged in conjunction with pass-the-hash attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains local administrator credentials on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the LocalAccountTokenFilterPolicy registry key to a value of 1. This is done to allow remote connections from local administrator accounts to receive high-integrity tokens. The registry key is typically located at \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a \u0026ldquo;pass the hash\u0026rdquo; attack (T1550.002) using the compromised local administrator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the \u0026ldquo;pass the hash\u0026rdquo; technique and the modified LocalAccountTokenFilterPolicy.\u003c/li\u003e\n\u003cli\u003eDue to the LocalAccountTokenFilterPolicy being enabled, the remote connection from the local administrator account receives a full high-integrity token.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses UAC on the remote system, gaining elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities on the remote system, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the LocalAccountTokenFilterPolicy allows attackers to bypass User Account Control (UAC) and gain elevated privileges on remote systems, potentially leading to unauthorized access to sensitive data, lateral movement across the network, and the deployment of ransomware. The overall impact can include data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized modifications to the LocalAccountTokenFilterPolicy registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the registry, which is required for the \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule query and ensure they are legitimate and necessary to prevent false positives.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e path, specifically looking for changes to the value data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-02-local-account-token-filter-policy-disabled/","summary":"Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.","title":"Local Account TokenFilter Policy Modification for Defense Evasion and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-02-local-account-token-filter-policy-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","code-signing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may attempt to subvert trust controls by disabling or modifying the code signing policy. This allows them to execute unsigned or self-signed malicious code. This can be achieved by modifying boot configuration data (BCD) settings using the built-in bcdedit.exe utility on Windows. Disabling Driver Signature Enforcement (DSE) allows the loading of untrusted drivers, which can compromise system integrity. The rule identifies commands that can disable the Driver Signature Enforcement feature. The scope of the targeting is broad, as it can affect any Windows system where an attacker gains sufficient privileges to modify the BCD settings. This activity is detected by analyzing process execution events for specific command-line arguments used with bcdedit.exe. The detection rule was last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains administrative privileges on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ebcdedit.exe\u003c/code\u003e with arguments to disable driver signature enforcement. Example: \u003ccode\u003ebcdedit.exe /set testsigning on\u003c/code\u003e or \u003ccode\u003ebcdedit.exe /set nointegritychecks on\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebcdedit.exe\u003c/code\u003e modifies the Boot Configuration Data (BCD) store.\u003c/li\u003e\n\u003cli\u003eThe system is restarted to apply the changes made to the BCD.\u003c/li\u003e\n\u003cli\u003eThe attacker loads an unsigned or self-signed malicious driver.\u003c/li\u003e\n\u003cli\u003eThe malicious driver executes with kernel-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities such as installing rootkits, bypassing security controls, or stealing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious driver is loaded on subsequent system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the code signing policy can lead to the execution of unsigned or self-signed malicious code, which can compromise the integrity and security of the system. Attackers can install rootkits, bypass security controls, or steal sensitive data. The impact can range from individual system compromise to broader network-wide attacks, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Code Signing Policy Modification Through Built-in Tools\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003ebcdedit.exe\u003c/code\u003e with arguments used to disable code signing (process.args).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments on Windows systems to ensure the Sigma rule can capture the relevant events (logsource).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of code signing policy modification, as this activity is typically not legitimate and can indicate malicious activity. The rule \u003ccode\u003eFirst Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\u003c/code\u003e can be used to detect suspicious drivers loaded into the system after the command was executed.\u003c/li\u003e\n\u003cli\u003eEnsure that Driver Signature Enforcement is enabled on all systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-09-code-signing-policy-modification/","summary":"Attackers may attempt to disable or modify code signing policies on Windows systems by using built-in tools like bcdedit.exe in order to execute unsigned or self-signed malicious code.","title":"Code Signing Policy Modification Through Built-in Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-09-code-signing-policy-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MOVEit Automation"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Progress Software"],"content_html":"\u003cp\u003eProgress Software\u0026rsquo;s MOVEit Automation is susceptible to multiple vulnerabilities that, if exploited, could allow an attacker to circumvent existing security measures and escalate privileges within the system. While specific details on the vulnerabilities are lacking, the advisory indicates a potential for significant impact on the confidentiality, integrity, and availability of systems utilizing the affected software. This is especially concerning given the role of MOVEit Automation in managing and transferring sensitive files, making it a high-value target for malicious actors seeking to exfiltrate data or disrupt business operations. Defenders should prioritize identifying and patching vulnerable instances of MOVEit Automation to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable MOVEit Automation instance.\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability to gain initial access to the system. Due to lack of specifics, it is unknown how initial access occurs.\u003c/li\u003e\n\u003cli\u003eAttacker bypasses security measures using an unspecified exploit.\u003c/li\u003e\n\u003cli\u003eAttacker escalates privileges within the MOVEit Automation environment.\u003c/li\u003e\n\u003cli\u003eAttacker leverages escalated privileges to access sensitive data or system configurations.\u003c/li\u003e\n\u003cli\u003eAttacker moves laterally within the network, exploiting the compromised MOVEit Automation instance as a pivot point.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data or deploys malicious payloads to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to unauthorized access to sensitive data, system compromise, and potential disruption of business operations. The lack of specific details makes it difficult to quantify the exact number of victims or sectors targeted. However, given the widespread use of MOVEit Automation in various industries, a successful attack could have far-reaching consequences, including financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches provided by Progress Software for MOVEit Automation to remediate the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor MOVEit Automation logs for suspicious activity indicative of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful attack on MOVEit Automation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T10:24:10Z","date_published":"2026-05-04T10:24:10Z","id":"/briefs/2026-05-moveit-automation-vulns/","summary":"Multiple vulnerabilities in Progress Software MOVEit Automation can be exploited by an attacker to bypass security measures or gain elevated privileges.","title":"Multiple Vulnerabilities in Progress Software MOVEit Automation","url":"https://feed.craftedsignal.io/briefs/2026-05-moveit-automation-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2026-0967"}],"_cs_exploited":false,"_cs_products":["libssh"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","libssh","CVE-2026-0967","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-0967 is a denial-of-service (DoS) vulnerability affecting libssh, a library implementing the SSH protocol. The root cause lies in the inefficient processing of regular expressions within the library\u0026rsquo;s code. An attacker could exploit this vulnerability by sending specially crafted input that triggers excessive resource consumption during regular expression matching, leading to a denial of service. Successful exploitation could potentially enable defense evasion by overwhelming security controls and negatively impacting the availability of systems relying on the vulnerable libssh library. The vulnerability affects both Linux and Windows platforms where libssh is used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a service or application utilizing a vulnerable version of libssh.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input string designed to trigger inefficient regular expression processing within libssh.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted input to the vulnerable service via a network connection (e.g., SSH).\u003c/li\u003e\n\u003cli\u003eThe libssh library attempts to process the malicious input using its regular expression engine.\u003c/li\u003e\n\u003cli\u003eThe inefficient regular expression causes excessive CPU consumption or memory allocation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable service becomes unresponsive due to resource exhaustion, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eSubsequent legitimate requests to the service are blocked or delayed, further exacerbating the impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0967 can result in a denial-of-service condition, rendering affected services or applications unavailable. The impact scope depends on the role of the affected system. For example, a critical server becoming unavailable could disrupt business operations. While the number of potential victims is unknown, any system utilizing a vulnerable version of libssh is susceptible. The defense evasion aspect could allow attackers to bypass security controls during the DoS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify systems using libssh and determine the installed version.\u003c/li\u003e\n\u003cli\u003eApply available patches or updates for libssh to remediate CVE-2026-0967 as released by Microsoft.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Libssh Regex Processing\u0026rdquo; to monitor for potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor CPU and memory usage on systems running libssh for unusual spikes, which may indicate a DoS attack.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on services using libssh to mitigate the impact of DoS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T07:16:39Z","date_published":"2026-05-01T07:16:39Z","id":"/briefs/2024-01-libssh-dos/","summary":"CVE-2026-0967 is a denial-of-service vulnerability in libssh, stemming from inefficient regular expression processing that could lead to defense evasion and impact availability on affected systems.","title":"Libssh Denial-of-Service Vulnerability via Inefficient Regular Expression Processing (CVE-2026-0967)","url":"https://feed.craftedsignal.io/briefs/2024-01-libssh-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-6296"},{"cvss":8.3,"id":"CVE-2026-6297"},{"cvss":4.3,"id":"CVE-2026-6298"},{"cvss":8.8,"id":"CVE-2026-6299"},{"cvss":8.8,"id":"CVE-2026-6300"}],"_cs_exploited":false,"_cs_products":["Chrome"],"_cs_severities":["high"],"_cs_tags":["chrome","vulnerability","code-execution","defense-evasion","information-disclosure","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eMultiple unspecified vulnerabilities have been identified in Google Chrome. An attacker exploiting these vulnerabilities could potentially execute arbitrary code, circumvent security measures, expose and manipulate sensitive information, and trigger a denial-of-service condition. The specifics of these vulnerabilities, including CVE identifiers, are not detailed in the source document. The lack of detail makes it difficult to determine the scope of the attack, but successful exploitation could lead to significant compromise of systems running Chrome. Defenders should prioritize monitoring for suspicious activity within Chrome processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable version of Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious web page or injects malicious code into a legitimate website.\u003c/li\u003e\n\u003cli\u003eA user visits the malicious web page or a compromised legitimate website using Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability in Chrome, such as a use-after-free or buffer overflow.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to execute arbitrary code within the context of the Chrome process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to bypass security mechanisms like sandboxing.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive data, such as cookies, browsing history, or credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates data or causes a denial-of-service condition by crashing the browser or consuming excessive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition. The impact ranges from data theft and credential compromise to complete system takeover, depending on the specific vulnerability and the attacker\u0026rsquo;s objectives. While the exact number of potential victims is unknown, the widespread use of Chrome makes this a high-impact threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious child processes spawned by chrome.exe, especially those involving command-line interpreters or scripting engines. Use the \u0026ldquo;Detect Suspicious Child Process of Chrome\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect network connections originating from chrome.exe for unusual destinations or protocols. Deploy the \u0026ldquo;Detect Outbound Connection from Chrome without User Interaction\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement web content filtering to block access to known malicious websites that might attempt to exploit Chrome vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:09:14Z","date_published":"2026-04-30T09:09:14Z","id":"/briefs/2026-05-chrome-vulns/","summary":"Multiple vulnerabilities in Google Chrome could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition.","title":"Multiple Vulnerabilities in Google Chrome","url":"https://feed.craftedsignal.io/briefs/2026-05-chrome-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-41380"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41380","execution-approval-bypass","privilege-escalation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a software of undetermined function, is vulnerable to an execution approval bypass (CVE-2026-41380) affecting versions prior to 2026.3.28. The vulnerability resides in \u003ccode\u003eexec-approvals-allowlist.ts\u003c/code\u003e, where the system incorrectly trusts wrapper carrier executables instead of the actual invoked targets. This flaw allows attackers to manipulate positional carrier executable routing through dispatch wrappers. By exploiting this, attackers can establish overly broad allowlist entries, effectively weakening the intended execution approval boundaries. This vulnerability was reported on April 28, 2026, and poses a significant risk by allowing unauthorized code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system with OpenClaw installed, potentially through social engineering or exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a dispatch wrapper executable that is already on the allowlist.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload to be executed through the identified wrapper.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages positional carrier executable routing to pass the malicious payload to the wrapper.\u003c/li\u003e\n\u003cli\u003eOpenClaw\u0026rsquo;s \u003ccode\u003eexec-approvals-allowlist.ts\u003c/code\u003e incorrectly trusts the wrapper, adding it to the allow-always list.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands using the allowlisted wrapper with the malicious payload, bypassing intended restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by executing privileged commands through the bypassed execution approval mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by utilizing the now-trusted wrapper to execute malicious code repeatedly.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41380 allows attackers to bypass intended execution restrictions within OpenClaw. This can lead to arbitrary code execution, privilege escalation, and persistent malicious activity. The vulnerability allows attackers to effectively weaken the security posture of systems relying on OpenClaw\u0026rsquo;s execution approval mechanisms, potentially leading to complete system compromise. The precise number of affected installations is unknown, but any system running a vulnerable version of OpenClaw is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.28 or later to remediate CVE-2026-41380.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious OpenClaw Wrapper Execution\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview existing allowlist entries within OpenClaw to identify and remove any overly broad or suspicious entries that may have been created through exploitation of CVE-2026-41380.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw\u0026rsquo;s logs for unexpected or unauthorized execution events related to wrapper executables as described in the vulnerability details.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-exec-approval-bypass/","summary":"OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows attackers to bypass intended execution restrictions by exploiting trust relationships with wrapper carrier executables, leading to privilege escalation and defense evasion.","title":"OpenClaw Execution Approval Bypass Vulnerability (CVE-2026-41380)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-exec-approval-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["dell","powerprotect","datadomain","vulnerability","privilege-escalation","defense-evasion","credential-access","impact"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities exist within Dell PowerProtect Data Domain OS, potentially enabling a malicious actor to compromise systems. Successful exploitation could lead to arbitrary code execution with root privileges, privilege escalation to administrator level, circumvention of security mechanisms, data manipulation, sensitive information disclosure, and the execution of other unspecified malicious activities. The vulnerabilities could be exploited to gain complete control over the affected systems, leading to significant data loss, disruption of services, or other severe consequences. The full scope of affected versions and the specific vulnerabilities involved are not detailed in the source information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the broad nature of the advisory, the following attack chain is constructed based on the potential capabilities granted by exploiting the vulnerabilities:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker exploits a remote code execution vulnerability in Dell PowerProtect Data Domain OS, potentially through a network service or web interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages an additional vulnerability to escalate privileges from an initial low-privilege shell to root access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e With root privileges, the attacker disables or bypasses security measures, such as intrusion detection systems or anti-malware software.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker gains access to stored credentials, such as those used for backups or system administration, by dumping the system\u0026rsquo;s credential store.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Manipulation:\u003c/strong\u003e The attacker modifies data stored within the Dell PowerProtect Data Domain system, potentially corrupting backups or injecting malicious code into stored files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure:\u003c/strong\u003e The attacker extracts sensitive information, such as customer data, internal documents, or system configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using the compromised Data Domain OS, the attacker can pivot to other systems within the network leveraging the credentials obtained or the trust relationships established.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, which may include data exfiltration, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in significant damage to organizations utilizing Dell PowerProtect Data Domain OS. This could include data loss due to corruption or deletion, financial losses from service disruption, reputational damage, and legal repercussions from the disclosure of sensitive information. The absence of specific victim counts or sector targeting makes quantifying the impact difficult, but the potential for widespread disruption and data compromise is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate Dell\u0026rsquo;s security advisories and apply the necessary patches to address the vulnerabilities in PowerProtect Data Domain OS as soon as they become available.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised Data Domain OS on other systems.\u003c/li\u003e\n\u003cli\u003eEnable logging on Dell PowerProtect Data Domain OS, including process creation and network connection logs, to detect potential exploitation attempts and investigate suspicious activity, allowing the deployment of the Sigma rules below.\u003c/li\u003e\n\u003cli\u003eMonitor for unauthorized access attempts to Dell PowerProtect Data Domain OS through webserver logs, specifically looking for suspicious cs-uri-query strings (see rule \u0026ldquo;Detect Web Request for Potential Dell PowerProtect Exploit\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T08:05:52Z","date_published":"2026-04-21T08:05:52Z","id":"/briefs/2026-04-dell-powerprotect-vulns/","summary":"Multiple vulnerabilities in Dell PowerProtect Data Domain OS allow an attacker to execute arbitrary code with root privileges, escalate privileges to administrator, bypass security measures, manipulate data, disclose sensitive information, or conduct unspecified attacks.","title":"Multiple Vulnerabilities in Dell PowerProtect Data Domain OS","url":"https://feed.craftedsignal.io/briefs/2026-04-dell-powerprotect-vulns/"},{"_cs_actors":["GOLD ENCOUNTER"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-26399"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["payouts-king","ransomware","qemu","vm","defense-evasion"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Payouts King ransomware, associated with the GOLD ENCOUNTER threat group, is utilizing QEMU, an open-source CPU emulator, to run hidden Alpine Linux virtual machines (VMs) on compromised Windows systems, effectively bypassing endpoint security solutions. This technique allows attackers to execute malicious payloads, store sensitive data, and create covert remote access tunnels over SSH without being detected by host-based security tools. Observed since November 2025 (tracked as STAC4713), this campaign initially exploited exposed SonicWall VPNs and the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). More recent attacks have leveraged exposed Cisco SSL VPNs and Microsoft Teams phishing campaigns to deliver payloads. The attackers are likely tied to former BlackBasta affiliates based on similar initial access methods. This tactic enables persistence, elevated privileges, and data exfiltration while evading detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attackers gain initial access through exposed SonicWall VPNs, Cisco SSL VPNs, or by exploiting the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). Alternatively, they use Microsoft Teams phishing, tricking employees into downloading and executing malicious files via QuickAssist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery:\u003c/strong\u003e In some instances, a legitimate ADNotificationManager.exe binary is used to sideload a Havoc C2 payload (vcruntime140_1.dll).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQEMU Deployment:\u003c/strong\u003e A scheduled task named ‘TPMProfiler’ is created to launch a hidden QEMU VM as SYSTEM, utilizing virtual disk files disguised as databases and DLL files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVM Configuration:\u003c/strong\u003e The QEMU VM runs Alpine Linux (version 3.22.0), containing attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReverse SSH Tunnel:\u003c/strong\u003e Port forwarding is set up to establish a reverse SSH tunnel, providing covert access to the infected host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Attackers use VSS (vssuirun.exe) to create a shadow copy, then use the print command over SMB to copy NTDS.dit, SAM, and SYSTEM hives to temp directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Rclone is leveraged to exfiltrate data to a remote SFTP location or other exfiltration methods, such as FTP, are used.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEncryption and Extortion:\u003c/strong\u003e The Payouts King ransomware encrypts systems using AES-256 (CTR) with RSA-4096 with intermittent encryption for larger files. Ransom notes are dropped, directing victims to leak sites on the dark web.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Payouts King ransomware attacks can result in significant data loss, system downtime, and financial repercussions for victim organizations. The use of QEMU VMs provides an additional layer of stealth, making detection and remediation more challenging. Targeted sectors are not specified in this report, but the use of exposed VPNs and phishing suggests a broad targeting scope. The ransom demands and potential data leaks on the dark web further compound the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unauthorized QEMU installations and suspicious scheduled tasks running with SYSTEM privileges, as these are key indicators of compromise (see Overview).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual SSH port forwarding and outbound SSH tunnels on non-standard ports, which could indicate a reverse SSH tunnel (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ADNotificationManager Sideloading Havoc C2\u0026rdquo; to identify instances where ADNotificationManager.exe is used to sideload the Havoc C2 payload (vcruntime140_1.dll) (see Rules).\u003c/li\u003e\n\u003cli\u003eReview and patch CVE-2025-26399 in SolarWinds Web Help Desk and apply necessary security measures for exposed SonicWall and Cisco SSL VPNs to prevent initial access (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor for processes creating shadow copies (vssuirun.exe) followed by unusual file access patterns (NTDS.dit, SAM, SYSTEM hives) via SMB, indicative of credential theft (see Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-payouts-king-qemu/","summary":"The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.","title":"Payouts King Ransomware Abusing QEMU VMs for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2026-04-payouts-king-qemu/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["oauth","authorization","bypass","privilege-escalation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn authorization bypass vulnerability affects the OAuth provider component of Better Auth, specifically versions 1.4.8-beta.7 through 1.6.4 and 1.7.0-beta.0 through 1.7.0-beta.1. This flaw allows any authenticated, low-privilege user to create OAuth clients, bypassing the intended restrictions set by the \u003ccode\u003eclientPrivileges\u003c/code\u003e configuration. The vulnerability stems from the client creation endpoints (\u003ccode\u003eadminCreateOAuthClient\u003c/code\u003e and \u003ccode\u003ecreateOAuthClient\u003c/code\u003e) not enforcing the \u003ccode\u003eclientPrivileges\u003c/code\u003e check before creating new OAuth clients. This bypass allows attackers to register OAuth clients with attacker-controlled redirect URIs and metadata, potentially leading to phishing attacks and abuse of trust assumptions in OAuth/OIDC flows. Defenders should implement detections to identify unauthorized OAuth client creation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Better Auth application with a low-privilege account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to either \u003ccode\u003e/api/auth/oauth2/create-client\u003c/code\u003e or a custom endpoint that routes to \u003ccode\u003eadminCreateOAuthClient\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker includes parameters for \u003ccode\u003eclient_name\u003c/code\u003e, \u003ccode\u003eredirect_uris\u003c/code\u003e, and other client metadata within the POST request body.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreateOAuthClientEndpoint\u003c/code\u003e function is called without first performing a \u003ccode\u003eclientPrivileges\u003c/code\u003e authorization check.\u003c/li\u003e\n\u003cli\u003eA new OAuth client is created and persisted in the system.\u003c/li\u003e\n\u003cli\u003eThe attacker now controls a registered OAuth client with attacker-defined redirect URIs.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially use this client for phishing attacks or to bypass consent flows if \u003ccode\u003eskip_consent\u003c/code\u003e is enabled (if \u003ccode\u003eadminCreateOAuthClient\u003c/code\u003e is exposed).\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the newly created OAuth client to gain unauthorized access to resources or user data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows unauthorized users to create OAuth clients, potentially leading to several negative consequences. Attackers can register clients with malicious redirect URIs, which can be used in phishing campaigns to steal user credentials or OAuth tokens. In scenarios where the \u003ccode\u003eadminCreateOAuthClient\u003c/code\u003e endpoint is exposed, attackers can create clients that bypass user consent, further increasing the risk of successful attacks. The impact is significant because it breaks the intended access control mechanism of the \u003ccode\u003eclientPrivileges\u003c/code\u003e configuration, affecting applications that rely on it to restrict client registration. Successful exploitation can lead to unauthorized access to user data, compromised accounts, and damaged trust in the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/api/auth/oauth2/create-client\u003c/code\u003e endpoint, especially from users who should not have client creation privileges. Implement the \u0026ldquo;Detect Unauthorized OAuth Client Creation Attempt\u0026rdquo; Sigma rule below, using webserver logs (category: \u0026ldquo;webserver\u0026rdquo;, product: \u0026ldquo;linux\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply the necessary patches to upgrade \u003ccode\u003e@better-auth/oauth-provider\u003c/code\u003e to a version that addresses this vulnerability (\u0026gt;= 1.6.5 or \u0026gt;= 1.7.0-beta.2).\u003c/li\u003e\n\u003cli\u003eAudit your application\u0026rsquo;s OAuth client registration process to ensure that the \u003ccode\u003eclientPrivileges\u003c/code\u003e check is enforced correctly.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003eadminCreateOAuthClient\u003c/code\u003e, ensure it is not exposed to low-privilege authenticated users to prevent the \u003ccode\u003eskip_consent\u003c/code\u003e bypass.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect OAuth Client Creation with Skip Consent\u0026rdquo; Sigma rule if your deployment exposes the admin client creation endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-better-auth-oauth-bypass/","summary":"An authorization bypass vulnerability exists in Better Auth's OAuth provider, allowing low-privilege users to create OAuth clients despite configured clientPrivileges, potentially leading to unauthorized client registration and increased phishing risks.","title":"Better Auth OAuth Provider Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-better-auth-oauth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-33804"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fastify","middie","middleware","bypass","cve-2026-33804","defense-evasion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003e@fastify/middie, a Fastify middleware engine, is vulnerable to a significant security bypass. Specifically, versions 9.3.1 and earlier are susceptible when the deprecated Fastify \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option is enabled. This vulnerability, identified as CVE-2026-33804, arises because the middleware\u0026rsquo;s path matching logic fails to account for the duplicate slash normalization performed by Fastify\u0026rsquo;s router. Consequently, crafted HTTP requests containing duplicate slashes can circumvent middleware authentication and authorization checks, potentially granting unauthorized access to protected resources. This vulnerability only affects applications that are actively using the deprecated \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option. The recommended remediation is to upgrade to @fastify/middie version 9.3.2, which addresses this issue. Alternatively, disabling the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option can serve as a mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Fastify application using @fastify/middie version 9.3.1 or earlier with the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected resource. The request URI includes duplicate slashes (e.g., \u003ccode\u003e/api//resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is received by the Fastify server.\u003c/li\u003e\n\u003cli\u003eFastify\u0026rsquo;s router normalizes the duplicate slashes in the URI before passing it to the middleware.\u003c/li\u003e\n\u003cli\u003eThe middleware\u0026rsquo;s path matching logic fails to correctly handle the normalized URI due to the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eAs a result, the request bypasses the intended authentication and/or authorization checks implemented by the middleware.\u003c/li\u003e\n\u003cli\u003eThe request reaches the targeted resource, which is processed by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the resource, potentially leading to data breaches, privilege escalation, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass authentication and authorization controls, potentially gaining unauthorized access to sensitive data or functionality within the Fastify application. The severity of the impact depends on the nature of the protected resources and the extent of the attacker\u0026rsquo;s access. This could lead to data breaches, privilege escalation, or other malicious activities. The number of potential victims is dependent on the number of applications using the vulnerable version of @fastify/middie with the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade @fastify/middie to version 9.3.2 or later to patch the vulnerability described in CVE-2026-33804.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option in Fastify configurations as an alternative mitigation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectFastifyMiddieBypassAttempt\u003c/code\u003e to identify potential exploitation attempts based on duplicate slashes in the request URI.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T15:17:34Z","date_published":"2026-04-16T15:17:34Z","id":"/briefs/2026-04-fastify-middie-bypass/","summary":"A middleware bypass vulnerability (CVE-2026-33804) exists in @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled, potentially allowing unauthorized access.","title":"@fastify/middie Middleware Bypass Vulnerability (CVE-2026-33804)","url":"https://feed.craftedsignal.io/briefs/2026-04-fastify-middie-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["registry-modification","persistence","defense-evasion","scripting-engine"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief covers suspicious registry modifications made by scripting engine processes like WScript, CScript, and MSHTA. These processes are often abused by attackers to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence. Legitimate use of these scripting engines to modify the registry is uncommon, making this behavior a good indicator of potential malicious activity. Defenders should monitor for these processes interacting with sensitive registry keys. This activity was observed as of 2025 and continues to be a relevant technique for persistence and defense evasion in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses MSHTA.exe to execute malicious HTML Application code.\u003c/li\u003e\n\u003cli\u003eMSHTA.exe is used to launch a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses the Registry module to add a new registry key.\u003c/li\u003e\n\u003cli\u003eThe registry key is configured to execute a payload upon system startup.\u003c/li\u003e\n\u003cli\u003eThe attacker uses wscript.exe or cscript.exe to execute VBScript or JScript.\u003c/li\u003e\n\u003cli\u003eThe script modifies registry values to disable security features.\u003c/li\u003e\n\u003cli\u003eThe compromised system restarts, executing the payload defined in the registry, granting the attacker persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistence on the targeted system, enabling them to maintain access even after a reboot. This can lead to data theft, further malware deployment, or complete system compromise. The impact ranges from minor data breaches to significant operational disruptions. The scope of the impact depends on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Registry Tampering by Potentially Suspicious Processes\u0026rdquo; to your SIEM to detect this specific activity, and tune for your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of wscript.exe, cscript.exe or mshta.exe modifying registry keys outside of known-good paths (rules).\u003c/li\u003e\n\u003cli\u003eMonitor registry events for unexpected modifications by scripting engines, focusing on persistence-related keys (rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:50:16Z","date_published":"2026-04-14T12:50:16Z","id":"/briefs/2026-04-susp-reg-mod/","summary":"Scripting engines such as WScript, CScript, and MSHTA are being used to make registry modifications, potentially for persistence or defense evasion.","title":"Suspicious Registry Modifications by Scripting Engines","url":"https://feed.craftedsignal.io/briefs/2026-04-susp-reg-mod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["spring-cloud-gateway","security-bypass","defense-evasion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in VMware Tanzu Spring Cloud Gateway that allows a remote, anonymous attacker to bypass security precautions. This vulnerability could potentially permit unauthorized access to protected resources, manipulation of data, or disruption of services. The advisory, released in April 2026, highlights the risk associated with unpatched instances of Spring Cloud Gateway. Organizations using this software should immediately investigate and apply necessary updates or mitigations to prevent exploitation. The lack of specific CVE or version information in the initial report necessitates a proactive approach to identify and address potential vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable VMware Tanzu Spring Cloud Gateway instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request specifically designed to exploit the security bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the vulnerable Spring Cloud Gateway instance.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to bypass authentication or authorization checks implemented by the gateway.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to backend services or resources normally protected by the gateway.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as accessing sensitive data, modifying configurations, or executing commands on backend systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass intended security controls, potentially leading to data breaches, service disruption, or unauthorized control of backend systems. The lack of specific victim numbers or sector targeting data in the initial advisory suggests a broad potential impact across various industries utilizing VMware Tanzu Spring Cloud Gateway. The severity of the impact depends on the scope of access gained and the sensitivity of the compromised data or systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAudit all instances of VMware Tanzu Spring Cloud Gateway within your environment to identify potentially vulnerable deployments.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category: webserver, product: linux) for suspicious requests targeting Spring Cloud Gateway instances, looking for unusual URI patterns or HTTP status codes.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious HTTP requests indicative of security bypass attempts.\u003c/li\u003e\n\u003cli\u003eContinuously monitor for updated advisories and security patches from VMware regarding Spring Cloud Gateway.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T10:12:40Z","date_published":"2026-04-13T10:12:40Z","id":"/briefs/2026-04-spring-cloud-gateway-bypass/","summary":"An anonymous, remote attacker can exploit a vulnerability in VMware Tanzu Spring Cloud Gateway to bypass security measures, potentially gaining unauthorized access or control.","title":"VMware Tanzu Spring Cloud Gateway Security Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-spring-cloud-gateway-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-34780"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["electron","context-isolation","javascript","xss","CVE-2026-34780","defense-evasion","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eElectron, a framework for building cross-platform desktop applications using web technologies, is vulnerable to a context isolation bypass (CVE-2026-34780) when handling VideoFrame objects. This vulnerability affects Electron versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8. Specifically, applications are at risk if they utilize \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e to pass a VideoFrame object from a preload script to the main world. An attacker who achieves JavaScript execution in the main world, for example, through a cross-site scripting (XSS) vulnerability, can leverage a bridged VideoFrame to bypass context isolation and gain access to the isolated world, including Node.js APIs exposed to the preload script. This access enables further malicious activities, potentially leading to arbitrary code execution on the host system. Patches are available in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Electron application using a vulnerable version of Electron (39.0.0-alpha.1 to 39.7.x, 40.0.0-alpha.1 to 40.6.x, or 41.0.0-alpha.1 to 41.0.0-beta.7) that also uses \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e to expose a \u003ccode\u003eVideoFrame\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into the application\u0026rsquo;s main world. This can be achieved through various means, such as exploiting a cross-site scripting (XSS) vulnerability.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code interacts with the bridged \u003ccode\u003eVideoFrame\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eVideoFrame\u003c/code\u003e object, due to the vulnerability, allows the attacker to bypass context isolation and gain access to the isolated world.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the access to the isolated world to access Node.js APIs that are exposed to the preload script.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the exposed Node.js APIs to perform malicious actions, such as reading sensitive data, modifying application settings, or executing arbitrary code on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges by exploiting further vulnerabilities or misconfigurations within the application or the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve arbitrary code execution on the host system, allowing the attacker to perform any desired actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34780) allows an attacker to bypass context isolation in affected Electron applications, potentially leading to arbitrary code execution. The number of victims depends on the popularity and security posture of Electron applications that bridge VideoFrame objects. If the attack succeeds, an attacker could steal sensitive data, install malware, or completely compromise the user\u0026rsquo;s system. Sectors heavily reliant on Electron-based desktop applications, such as communication, development, and productivity tools, are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electron applications to patched versions (39.8.0, 40.7.0, or 41.0.0-beta.8) to address CVE-2026-34780.\u003c/li\u003e\n\u003cli\u003eReview and sanitize all user-supplied input to prevent XSS vulnerabilities that can be leveraged to exploit CVE-2026-34780.\u003c/li\u003e\n\u003cli\u003eImplement strict Content Security Policy (CSP) to mitigate the risk of XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for suspicious JavaScript execution, especially related to \u003ccode\u003eVideoFrame\u003c/code\u003e objects and \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution via Node.js APIs to detect malicious behavior following a successful context isolation bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T01:16:39Z","date_published":"2026-04-04T01:16:39Z","id":"/briefs/2026-04-electron-videoframes/","summary":"A context isolation bypass vulnerability exists in Electron applications that bridge VideoFrame objects via contextBridge, potentially allowing an attacker with JavaScript execution in the main world to access the isolated world and Node.js APIs.","title":"Electron VideoFrame Context Isolation Bypass Vulnerability (CVE-2026-34780)","url":"https://feed.craftedsignal.io/briefs/2026-04-electron-videoframes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["credential-access","defense-evasion","brute-force","password-spraying"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert triggers when an Elastic machine learning job identifies a significant spike in successful authentication events originating from a specific source IP address. The underlying cause may range from legitimate administrative activity to malicious attempts at credential compromise, such as password spraying, user enumeration, or brute force attacks. The rule requires a minimum Elastic Stack version of 9.4.0 and relies on data ingested via Elastic Defend, Auditd Manager, or the System integration. The machine learning job associated with this rule is named \u0026ldquo;auth_high_count_logon_events_for_a_source_ip_ea\u0026rdquo;. While build servers and CI systems can trigger this alert as false positives, its presence should always prompt investigation to rule out credential compromise attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a network or system (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: The attacker attempts to gather valid credentials through password spraying or brute-force attacks (T1110, T1110.003).\u003c/li\u003e\n\u003cli\u003eAccount Discovery: The attacker enumerates user accounts to identify potential targets, often performed in conjunction with password attacks.\u003c/li\u003e\n\u003cli\u003eSuccessful Authentication: Using compromised credentials, the attacker successfully authenticates to a system or service (T1078, T1078.002, T1078.003).\u003c/li\u003e\n\u003cli\u003eLateral Movement: After successful authentication, the attacker potentially moves laterally within the network using valid accounts (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may attempt to escalate privileges to gain higher-level access (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Impact: After gaining sufficient access, the attacker may exfiltrate sensitive data or cause damage to the system or network (not explicitly described in source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, systems, and services. The number of affected users and the extent of the damage depend on the scope of the compromised credentials and the attacker\u0026rsquo;s objectives. This can impact any sector, as credential compromise is a common attack vector across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and configure the Elastic Defend, Auditd Manager, or System integrations to provide the necessary data for the machine learning job (see Setup section).\u003c/li\u003e\n\u003cli\u003eInstall the associated Machine Learning job \u0026ldquo;auth_high_count_logon_events_for_a_source_ip_ea\u0026rdquo; to enable the detection (see Setup section).\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job based on your environment to reduce false positives (anomaly_threshold metadata).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by this rule, focusing on identifying the involved assets, users, and source IP addresses (see Note section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:25:14Z","date_published":"2026-04-02T13:25:14Z","id":"/briefs/2026-04-auth-spike/","summary":"A machine learning job detected a spike in successful authentication events from a source IP address, which can indicate password spraying, user enumeration, or brute force activity, potentially leading to credential access.","title":"Spike in Successful Logon Events from a Source IP","url":"https://feed.craftedsignal.io/briefs/2026-04-auth-spike/"},{"_cs_actors":["Qilin Ransomware"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["qilin","edr-killer","ransomware","defense-evasion","windows"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Qilin ransomware group is actively deploying a sophisticated EDR killer as part of their attack chain. The initial stage involves a malicious \u0026ldquo;msimg32.dll\u0026rdquo; that is likely side-loaded by a legitimate application. This DLL version triggers its malicious logic from within its DllMain function, leading to immediate execution upon loading. The EDR killer employs advanced evasion techniques, including neutralizing user-mode hooks, suppressing Event Tracing for Windows (ETW) event generation, and utilizing structured exception handling (SEH) and vectored exception handling (VEH) to obfuscate control flow. Once active, the EDR killer component loads helper drivers to access physical memory and terminate EDR processes. This allows the malware to disable over 300 different EDR drivers across a wide range of vendors, hindering incident response and enabling further malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA legitimate application loads the malicious \u0026ldquo;msimg32.dll\u0026rdquo;, likely through DLL side-loading, triggering execution from within the DllMain function.\u003c/li\u003e\n\u003cli\u003eThe DLL allocates a heap buffer in process memory acting as a slot-policy table based on ntdll.dll\u0026rsquo;s OptionalHeader.SizeOfCode, dividing the code region into 16-byte slots.\u003c/li\u003e\n\u003cli\u003eThe malware iterates over the export table of \u0026ldquo;ntdll.dll\u0026rdquo; to resolve virtual addresses of syscall stubs, specifically targeting those starting with \u0026ldquo;Nt\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eBased on resolved addresses, the malware marks corresponding entries in the slot-policy table with default or special policies, specifically targeting NtTraceEvent, NtTraceControl, and NtAlpcSendWaitReceivePort.\u003c/li\u003e\n\u003cli\u003eThe malware dynamically resolves ntdll!LdrProtectMrdata and invokes it to change the protection of the .mrdata section to writable.\u003c/li\u003e\n\u003cli\u003eThe loader overwrites the dispatcher slot within the .mrdata section with its own custom exception handler to intercept and modify exception handling.\u003c/li\u003e\n\u003cli\u003eThe custom exception handler manages breakpoint exceptions (0xCC), potentially as an anti-emulation technique.\u003c/li\u003e\n\u003cli\u003eThe EDR killer component loads helper drivers, \u0026ldquo;rwdrv.sys\u0026rdquo; for physical memory access and \u0026ldquo;hlpdrv.sys\u0026rdquo; to terminate EDR processes, after unregistering monitoring callbacks to prevent interference.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of the Qilin EDR killer can disable over 300 different EDR drivers, severely impairing the ability of security teams to detect and respond to threats. This can lead to increased dwell time for ransomware and other malicious activities, resulting in significant data breaches, financial losses, and reputational damage. With telemetry collection disabled, defenders lose visibility into process, memory, and network activity, making it difficult to investigate and contain the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for DLLs loaded from non-standard locations, specifically \u0026ldquo;msimg32.dll,\u0026rdquo; using process creation logs to detect potential DLL side-loading attempts (rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided in this brief to detect the modification of exception handler dispatchers, which is a key component of the EDR killer\u0026rsquo;s evasion techniques.\u003c/li\u003e\n\u003cli\u003eMonitor for the loading of unsigned or untrusted drivers like \u0026ldquo;rwdrv.sys\u0026rdquo; and \u0026ldquo;hlpdrv.sys\u0026rdquo; using driver load events, as these are used to gain system privileges and terminate EDR processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed information about process execution, including command-line arguments and parent processes, to aid in the detection of malicious DLL loading.\u003c/li\u003e\n\u003cli\u003eAnalyze process memory for evidence of user-mode hooks being neutralized or ETW event generation being suppressed. This requires more advanced memory forensics capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T10:00:56Z","date_published":"2026-04-02T10:00:56Z","id":"/briefs/2026-04-qilin-edr-killer/","summary":"Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.","title":"Qilin Ransomware EDR Killer Infection Chain","url":"https://feed.craftedsignal.io/briefs/2026-04-qilin-edr-killer/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","indicator-removal","file-deletion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis rule detects the deletion of web server access logs, a common tactic used by attackers to cover their tracks and hinder forensic investigations. The deletion of these logs may indicate an attempt to evade detection or destroy forensic evidence on a system. This detection rule focuses on identifying deletion events in directories commonly used for web server logs, such as those used by Apache and IIS. The rule covers multiple operating systems, providing a broad detection capability. This is important for defenders because web server logs are critical for monitoring web traffic and identifying malicious activity. The rule is designed to detect activity on \u0026ldquo;auditbeat-\u003cem\u003e\u0026rdquo;, \u0026ldquo;winlogbeat-\u003c/em\u003e\u0026rdquo;, \u0026ldquo;logs-endpoint.events.\u003cem\u003e\u0026rdquo;, \u0026ldquo;logs-windows.sysmon_operational-\u003c/em\u003e\u0026rdquo; indices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a system hosting a web server, potentially through exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of the web server\u0026rsquo;s access logs. Common locations include \u003ccode\u003e/var/log/apache*/access.log\u003c/code\u003e and \u003ccode\u003eC:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a privileged account or escalates privileges to obtain the necessary permissions to delete the log files.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to delete the web server access logs. This could be done using \u003ccode\u003erm\u003c/code\u003e on Linux or \u003ccode\u003edel\u003c/code\u003e on Windows.\u003c/li\u003e\n\u003cli\u003eThe operating system records the file deletion event in its audit logs, which are monitored by security tools.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the deletion event based on the file path and event type.\u003c/li\u003e\n\u003cli\u003eThe security team is alerted to the potential intrusion and begins investigating the incident.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of web server access logs can significantly impede incident response and forensic investigations. Without these logs, it becomes difficult to determine the scope and impact of an attack, including identifying compromised accounts, exploited vulnerabilities, and stolen data. This can lead to delayed or ineffective remediation efforts, potentially resulting in further damage to the organization. The impact is particularly severe if the logs are deleted before suspicious activity is detected, as it removes valuable evidence needed for analysis.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWebServer Access Logs Deleted\u003c/code\u003e to your SIEM and tune for your environment to detect malicious log deletion attempts.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on web server log directories to detect unauthorized modifications or deletions.\u003c/li\u003e\n\u003cli\u003eReview and tighten access controls on web server log files to ensure only authorized personnel can modify or delete them.\u003c/li\u003e\n\u003cli\u003eImplement a robust log backup and retention policy to ensure that logs are available for forensic analysis even if they are deleted from the primary system.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eWebServer Access Logs Deleted\u003c/code\u003e rule promptly to determine the root cause and extent of the compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:12:42Z","date_published":"2026-04-01T14:12:42Z","id":"/briefs/2026-04-websvr-log-deletion/","summary":"Detection of web server access log deletion across Windows, Linux, and macOS systems indicates potential defense evasion and destruction of forensic evidence by threat actors.","title":"WebServer Access Logs Deleted","url":"https://feed.craftedsignal.io/briefs/2026-04-websvr-log-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","obfuscation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Right-to-Left Override (RTLO) character (U+202E) is a Unicode character that causes text to be rendered from right to left. Adversaries are leveraging this character in Windows command-line arguments to obfuscate malicious file names and extensions. By embedding the RTLO character within a file name or command, attackers can visually reverse the order of characters, making a malicious file appear to be harmless. For example, a file named \u0026ldquo;evil.exe\u0026rdquo; might be renamed to \u0026ldquo;evil[U+202E]exe.pdf\u0026rdquo;, which would display as \u0026ldquo;evilpdf.exe\u0026rdquo; to a user, potentially tricking them into executing the malicious file. This technique is used to bypass security controls and social engineering. The use of RTLO is not new, but it continues to be an effective method of tricking end users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious executable file (e.g., \u003ccode\u003etrojan.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker renames the malicious file, embedding the RTLO character (U+202E) within the file name to reverse the visual presentation (e.g., \u003ccode\u003etrojan[U+202E]exe.scr\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe renamed file (e.g., \u003ccode\u003etrojanscr.exe\u003c/code\u003e) is distributed to the target, often via phishing or other social engineering methods.\u003c/li\u003e\n\u003cli\u003eThe user, seeing the reversed file extension, mistakes the file for a screensaver file (\u003ccode\u003e.scr\u003c/code\u003e) and executes it.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious executable runs with the privileges of the user.\u003c/li\u003e\n\u003cli\u003eThe malware may then perform malicious activities such as installing additional malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the initial foothold to escalate privileges and move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, potentially compromising the entire system. This can result in data theft, system damage, or further propagation of malware within the network. The obfuscation technique makes it harder for users to identify malicious files, increasing the likelihood of successful attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Process Creation with Right-to-Left Override Character\u003c/code\u003e to your SIEM to detect processes spawned with the RTLO character in the command line.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of the RTLO character and how it can be used to disguise malicious files.\u003c/li\u003e\n\u003cli\u003eImplement file extension filtering to block execution of suspicious file types (e.g., \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.scr\u003c/code\u003e) from untrusted locations.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual file names or command-line arguments containing the RTLO character.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments, which is essential for detecting this technique.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T11:57:31Z","date_published":"2026-04-01T11:57:31Z","id":"/briefs/2026-04-right-to-left-override/","summary":"Adversaries are using the Right-to-Left Override (RTLO) character (U+202E) in command-line arguments to obfuscate malicious file names and trick users into executing them, achieving defense evasion.","title":"Right-to-Left Override Character Used for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2026-04-right-to-left-override/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","defense-evasion","persistence","initial-access","active-directory"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on the modification of the \u003ccode\u003emsDS-ManagedAccountPrecededByLink\u003c/code\u003e attribute within Active Directory via PowerShell scripts. This activity is flagged as potentially malicious because it could be indicative of an attempt to exploit the \u0026lsquo;BadSuccessor\u0026rsquo; privilege escalation vulnerability in Windows Server 2025. The vulnerability, as outlined in Akamai\u0026rsquo;s research, allows attackers to manipulate managed service account (dMSA) links to gain elevated privileges. The detection is based on identifying specific PowerShell script patterns that include \u003ccode\u003e.Put(\u0026quot;msDS-ManagedAccountPrecededByLink'\u003c/code\u003e and \u003ccode\u003eCN=\u003c/code\u003e, which are used to modify these critical AD attributes. Defenders should be aware that legitimate administrative tasks might also trigger this detection, so careful tuning and validation are necessary.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a system with sufficient privileges to execute PowerShell scripts, possibly through compromised credentials or other initial access vectors (T1078.002).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses PowerShell to enumerate existing dMSAs and their associated \u003ccode\u003emsDS-ManagedAccountPrecededByLink\u003c/code\u003e attributes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttribute Modification:\u003c/strong\u003e The attacker crafts a PowerShell script to modify the \u003ccode\u003emsDS-ManagedAccountPrecededByLink\u003c/code\u003e attribute of a target dMSA. This involves using the \u003ccode\u003e.Put(\u0026quot;msDS-ManagedAccountPrecededByLink\u0026quot;\u003c/code\u003e command and specifying a new distinguished name (\u003ccode\u003eCN=\u003c/code\u003e) for the preceding account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker leverages the modified dMSA link to establish a persistent foothold in the environment by gaining control over the targeted dMSA.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By manipulating the dMSA links, the attacker effectively inherits the permissions and privileges associated with the compromised dMSA, thereby escalating their own privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker may attempt to evade detection by obfuscating the PowerShell script or using other techniques to hide their activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With elevated privileges, the attacker can move laterally within the network, accessing sensitive resources and systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the \u0026lsquo;BadSuccessor\u0026rsquo; vulnerability through modification of the \u003ccode\u003emsDS-ManagedAccountPrecededByLink\u003c/code\u003e attribute can lead to complete domain compromise. An attacker can gain control over critical services and data, potentially resulting in data breaches, service disruptions, and significant financial losses. The impact is amplified in environments heavily reliant on Active Directory for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect potentially malicious modifications to dMSA link attributes via PowerShell (logsource: ps_script, product: windows).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine if the activity is legitimate or indicative of an attempted exploitation of the \u0026lsquo;BadSuccessor\u0026rsquo; vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for systems and accounts with the ability to modify Active Directory attributes.\u003c/li\u003e\n\u003cli\u003eReview and harden Active Directory security configurations to prevent unauthorized modification of sensitive attributes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T10:27:13Z","date_published":"2026-03-30T10:27:13Z","id":"/briefs/2024-01-30-dmsa-link-mod/","summary":"Detection of PowerShell scripts modifying the msDS-ManagedAccountPrecededByLink attribute, potentially indicating exploitation of the BadSuccessor privilege escalation vulnerability in Windows Server 2025.","title":"Potential Abuse of msDS-ManagedAccountPrecededByLink for Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-30-dmsa-link-mod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libpng","png","oob","CVE-2026-33636","vulnerability","defense-evasion","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33636 describes an out-of-bounds read and write vulnerability within the LIBPNG library, specifically affecting versions 1.6.36 through 1.6.55. The vulnerability resides in the ARM/AArch64 Neon-optimized palette expansion path. This flaw occurs when expanding 8-bit paletted rows to RGB or RGBA formats. The Neon loop processes a final partial chunk of data without properly validating that sufficient input pixels remain. This lack of validation leads to out-of-bounds memory access during…\u003c/p\u003e\n","date_modified":"2026-03-27T12:00:00Z","date_published":"2026-03-27T12:00:00Z","id":"/briefs/2026-03-libpng-oob-r-w/","summary":"An out-of-bounds read and write vulnerability in LIBPNG's ARM/AArch64 Neon-optimized palette expansion path (CVE-2026-33636) allows attackers to potentially achieve denial-of-service or arbitrary code execution by crafting malicious PNG images.","title":"LIBPNG Out-of-Bounds Read/Write Vulnerability in Neon Optimization (CVE-2026-33636)","url":"https://feed.craftedsignal.io/briefs/2026-03-libpng-oob-r-w/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["websphere","vulnerability","privilege-escalation","defense-evasion","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIBM WebSphere Application Server Liberty is affected by multiple vulnerabilities that could be exploited by a remote, authenticated attacker. According to the BSI advisory published on March 25, 2026, successful exploitation can lead to privilege escalation, circumvention of security measures, and sensitive information disclosure. While the specific CVEs and techniques are not detailed in the source material, the broad impact across multiple security domains makes this a significant risk for organizations using the affected software. Defenders should prioritize identifying WebSphere Liberty instances and implementing mitigations as they become available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the IBM WebSphere Application Server Liberty instance using existing credentials or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a vulnerability in the application server to bypass access controls.\u003c/li\u003e\n\u003cli\u003eUsing the bypassed access, the attacker gains access to administrative functions or APIs.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a privilege escalation vulnerability to gain higher-level privileges within the application server.\u003c/li\u003e\n\u003cli\u003eWith elevated privileges, the attacker accesses sensitive configuration files and data stored within the application server.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability that allows the reading of arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive information such as user credentials, API keys, or proprietary data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can have severe consequences. An attacker could gain complete control over the WebSphere Application Server Liberty instance, leading to data breaches, service disruption, and potential lateral movement within the network. The number of victims and sectors targeted are currently unknown, but any organization using IBM WebSphere Application Server Liberty is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor WebSphere Liberty server logs for suspicious activity following authentication to detect potential privilege escalation attempts (reference: Attack Chain step 4).\u003c/li\u003e\n\u003cli\u003eImplement the generic privilege escalation detection rule to identify unauthorized attempts to elevate privileges (reference: rules).\u003c/li\u003e\n\u003cli\u003eImplement the security measure bypass detection rule to identify possible vulnerability abuse (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T11:50:50Z","date_published":"2026-03-25T11:50:50Z","id":"/briefs/2026-03-websphere-vulns/","summary":"A remote, authenticated attacker can exploit multiple vulnerabilities in IBM WebSphere Application Server Liberty to escalate privileges, bypass security measures, and disclose information.","title":"IBM WebSphere Application Server Liberty Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-websphere-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["shellcode","windows","jit","defense-evasion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA newly developed shellcode loader, referred to as \u0026ldquo;Lucky Pasta\u0026rdquo;, has been published online, showcasing advanced evasion techniques targeting Windows systems. The loader, written in C and utilizing the Windows API, is designed to bypass traditional antivirus (AV) solutions through a combination of runtime shellcode decryption using a Just-In-Time (JIT) approach, obfuscation of strings indicative of malicious intent, dynamic loading of libraries commonly flagged as suspicious, execution of shellcode within fibers for stealth, and runtime patching of Advanced Encryption Standard (AES) CPU instructions to thwart static analysis. The loader is capable of retrieving shellcode payloads via standard HTTP or encrypted HTTPS channels, indicating its potential use in various attack scenarios to deliver secondary payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe shellcode loader is initially executed on a Windows system, likely through social engineering or exploitation of a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe loader dynamically resolves API calls required for its operation, such as those related to memory allocation and network communication (e.g., \u003ccode\u003eVirtualAlloc\u003c/code\u003e, \u003ccode\u003eLoadLibrary\u003c/code\u003e, \u003ccode\u003eGetProcAddress\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe loader retrieves the encrypted shellcode from a remote server using HTTP or HTTPS protocols, potentially from a hardcoded URL.\u003c/li\u003e\n\u003cli\u003eThe encrypted shellcode is decrypted in memory using the JIT decryption routine, converting it into executable code.\u003c/li\u003e\n\u003cli\u003eThe loader creates a new fiber and transfers control to the decrypted shellcode within the fiber.\u003c/li\u003e\n\u003cli\u003eThe shellcode performs its intended malicious actions, such as establishing a reverse shell or injecting into another process.\u003c/li\u003e\n\u003cli\u003eThe loader cleans up any traces of its presence, such as zeroing out allocated memory regions.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain unauthorized access to the compromised system, exfiltrate sensitive data, or deploy additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of the \u0026ldquo;Lucky Pasta\u0026rdquo; shellcode loader can lead to complete compromise of the target Windows system. Due to its evasion techniques, it can bypass standard AV detection. The use of HTTP/HTTPS for payload delivery allows it to operate from almost anywhere. Exploitation may lead to data theft, ransomware deployment, or use of the compromised system as a bot in a larger network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for processes making outbound HTTP/HTTPS requests to unusual or suspicious domains, as this is how the shellcode is retrieved (IOC table, network_connection log source).\u003c/li\u003e\n\u003cli\u003eImplement a process creation monitoring rule to detect processes that load suspicious libraries dynamically (e.g., \u003ccode\u003eLoadLibrary\u003c/code\u003e calls from unknown executables) to identify potential malicious loaders. (process_creation log source, Sigma rule)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect shellcode execution via fibers and obfuscated strings. (process_creation log source, Sigma rule).\u003c/li\u003e\n\u003cli\u003eInspect processes that perform memory allocation with execute permissions (\u003ccode\u003eVirtualAlloc\u003c/code\u003e with \u003ccode\u003ePAGE_EXECUTE_READWRITE\u003c/code\u003e), especially if followed by network activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-lucky-pasta-shellcode-loader/","summary":"A shellcode loader dubbed 'Lucky Pasta' employs JIT decryption, string obfuscation, dynamic library loading, fiber-based execution, and AES instruction patching to evade AV detection, retrieving shellcode via HTTP/HTTPS and executing it on Windows systems.","title":"Lucky Pasta Shellcode Loader for Windows","url":"https://feed.craftedsignal.io/briefs/2026-03-lucky-pasta-shellcode-loader/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["motw","bypass","phishing","defense-evasion","archive","7-zip","cab","tar"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new MOTW bypass technique has emerged that chains a CAB file with two TAR archives nested within a 7-Zip archive. This method effectively strips the Zone.Identifier stream from downloaded files, preventing the display of SmartScreen prompts or security warnings. Many organizations rely on MOTW and SmartScreen as a crucial layer of defense against phishing attacks. This bypass, affecting fully patched environments, allows attackers to execute arbitrary code without the usual security checks, potentially leading to malware infection or data compromise. The technique is not a rehash of older 7-Zip MOTW issues but a novel approach to evade detection based on Zone.Identifier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious payload.\u003c/li\u003e\n\u003cli\u003eAttacker packages the payload into a TAR archive.\u003c/li\u003e\n\u003cli\u003eThe TAR archive is nested inside another TAR archive.\u003c/li\u003e\n\u003cli\u003eThe nested TAR archives are then compressed into a 7-Zip archive using 7z.exe.\u003c/li\u003e\n\u003cli\u003eThe 7-Zip archive is packaged into a CAB archive using makecab.exe.\u003c/li\u003e\n\u003cli\u003eThe CAB archive is distributed to the victim, potentially via phishing or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe victim opens the CAB archive, extracting the nested 7-Zip, TAR, and payload.\u003c/li\u003e\n\u003cli\u003eThe payload executes without a Zone.Identifier stream, bypassing MOTW and SmartScreen, potentially leading to malware infection or unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls that rely on MOTW and SmartScreen. This can lead to malware infections, data breaches, or other malicious activities. The bypass affects fully patched environments, increasing the scope of potential victims. The absence of security warnings makes it more likely that users will execute the malicious payload, increasing the success rate of attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement detections for unusual process chains involving \u003ccode\u003emakecab.exe\u003c/code\u003e, \u003ccode\u003e7z.exe\u003c/code\u003e, and \u003ccode\u003etar.exe\u003c/code\u003e as these tools are used in the bypass (see Sigma rule \u0026ldquo;Detect Suspicious Archive Chaining\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor for archive extractions from unusual locations, especially those originating from downloaded CAB files, using file event logging and process monitoring (see Sigma rule \u0026ldquo;Detect Archive Extraction from Downloaded CAB\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eAnalyze network connections from processes spawned from archive extractions, as they may indicate command and control or data exfiltration.\u003c/li\u003e\n\u003cli\u003eBlock the URL \u003ccode\u003ehttps://youtu.be/pQxiPwGTBL8\u003c/code\u003e to prevent users from accessing potentially malicious content related to this bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T17:31:15Z","date_published":"2026-03-19T17:31:15Z","id":"/briefs/2026-03-motw-bypass/","summary":"A newly discovered Mark of the Web (MOTW) bypass technique utilizes a chain of CAB, TAR, and 7-Zip archives to circumvent SmartScreen and execute files without security warnings.","title":"MOTW Bypass via CAB, TAR, and 7-Zip Chaining","url":"https://feed.craftedsignal.io/briefs/2026-03-motw-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Windows Defender Application Control","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["wdac","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Defender Application Control (WDAC) to disable or weaken endpoint defenses. By crafting malicious WDAC policies, adversaries can block legitimate security software and evade detection. This technique involves creating WDAC policy files (.p7b or .cip) in protected system directories using unauthorized processes. The activity often occurs when attackers have already gained a foothold in the system and are attempting to solidify their position. Successful deployment of a malicious WDAC policy can significantly hinder incident response and allow malware to operate undetected. This tactic has gained traction since late 2024, with offensive tools like Krueger demonstrating the potential for weaponizing WDAC against EDR solutions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative access, which is required to modify WDAC policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Creation:\u003c/strong\u003e The attacker crafts a malicious WDAC policy using tools or scripts. This policy is designed to block specific security products or processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The malicious policy is staged in a temporary location on the system, often within user-writable directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Placement:\u003c/strong\u003e The attacker moves the malicious WDAC policy file (.p7b or .cip) to a protected system directory, such as \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e or \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e. The tool used may be a Living-off-the-Land Binary (LOLBin) or a custom .NET assembly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivation:\u003c/strong\u003e The attacker triggers the activation of the new WDAC policy, which often requires a system reboot or the use of a service control utility.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Once the policy is active, the targeted security products are blocked, allowing the attacker to operate with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Objectives:\u003c/strong\u003e With defenses weakened, the attacker can move laterally within the network, exfiltrate data, or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting WDAC can severely impair an organization\u0026rsquo;s ability to detect and respond to threats. By blocking security software, attackers can operate with impunity, leading to data breaches, financial losses, and reputational damage. Observed damage includes disabled endpoint detection and response (EDR) solutions, allowing ransomware and other malware to execute without interference. The scope of impact can range from individual workstations to entire domains, depending on the breadth of the WDAC policy deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;WDAC Policy File by an Unusual Process\u0026rdquo; Sigma rule to your SIEM to detect unauthorized WDAC policy modifications.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events with extensions .p7b and .cip in \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e directories, specifically filtering for processes other than \u003ccode\u003epoqexec.exe\u003c/code\u003e, \u003ccode\u003eTiWorker.exe\u003c/code\u003e, and \u003ccode\u003eomadmclient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture file creation events and provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on WDAC policy directories to prevent unauthorized modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-wdac-policy-evasion/","summary":"Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.","title":"WDAC Policy File Creation by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-11-wdac-policy-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","persistence","defense-evasion","suid","sgid"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe SUID (Set User ID) and SGID (Set Group ID) bits are file permission mechanisms in Unix-like operating systems that allow a program to be executed with the privileges of the file\u0026rsquo;s owner or group, respectively. While intended for legitimate purposes, such as allowing users to perform specific administrative tasks, they can be abused by attackers to escalate privileges. Attackers can exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. This detection focuses on identifying processes running with root privileges (UID/GID 0) but initiated by non-root users, flagging potential misuse of SUID/SGID permissions on Linux systems monitored by Elastic Defend. This can indicate an attacker attempting to exploit a misconfiguration in order to escalate their privileges to root, or establish a backdoor for persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system via some vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies binaries with SUID/SGID bits set.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a vulnerable SUID/SGID binary, such as \u003ccode\u003efind\u003c/code\u003e or \u003ccode\u003enmap\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe binary executes with root privileges, even though the attacker is a non-root user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to read sensitive files, modify system configurations, or install malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a new SUID/SGID binary or modifying an existing one.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID/SGID misconfigurations can lead to complete system compromise, as attackers gain root privileges. Attackers can install malware, steal sensitive data, or disrupt critical services. The impact can range from data breaches to denial-of-service attacks. Given the broad range of binaries potentially affected, this vulnerability can impact various sectors and potentially affect a large number of Linux systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003ePrivilege Escalation via SUID/SGID\u003c/code\u003e to your SIEM to detect potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to ensure the necessary process execution data is available.\u003c/li\u003e\n\u003cli\u003eRegularly audit SUID/SGID permissions across your Linux systems and remove unnecessary SUID/SGID bits.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by checking \u003ccode\u003eprocess.real_user.id\u003c/code\u003e and \u003ccode\u003eprocess.real_group.id\u003c/code\u003e to determine if non-root users initiated the process.\u003c/li\u003e\n\u003cli\u003eReview the process details, including \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.args\u003c/code\u003e, to understand the nature of the executed command and its intended function.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for suspicious activity around the time of the alert to identify any related actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-suid-sgid-privilege-escalation/","summary":"Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.","title":"Potential Privilege Escalation via SUID/SGID on Linux","url":"https://feed.craftedsignal.io/briefs/2024-11-suid-sgid-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub"],"_cs_severities":["high"],"_cs_tags":["github","security-configuration","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis brief addresses the threat of unauthorized or malicious disabling of security features within GitHub organizations and repositories. Attackers or malicious insiders might disable features like Advanced Security, OAuth application restrictions, or two-factor authentication to weaken the security posture, gain unauthorized access, and establish persistence. The affected features span across advanced security, OAuth application management, and two-factor authentication enforcement. These actions can be performed by users with administrative or owner privileges within the GitHub organization. Defenders need to monitor for these configuration changes to ensure security best practices are maintained and to quickly identify potential malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with organization owner or administrator privileges through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub organization or repository using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization settings or repository settings, depending on the scope of the targeted security feature.\u003c/li\u003e\n\u003cli\u003eThe attacker disables advanced security features (e.g., \u003ccode\u003ebusiness_advanced_security.disabled_for_new_repos\u003c/code\u003e, \u003ccode\u003erepo.advanced_security_disabled\u003c/code\u003e) through the GitHub web interface or API.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker disables OAuth application restrictions (\u003ccode\u003eorg.disable_oauth_app_restrictions\u003c/code\u003e) to allow potentially malicious applications to access organizational data.\u003c/li\u003e\n\u003cli\u003eOr, the attacker disables the two-factor authentication requirement (\u003ccode\u003eorg.disable_two_factor_requirement\u003c/code\u003e) for the organization, weakening account security.\u003c/li\u003e\n\u003cli\u003eThe attacker may then proceed to exploit the weakened security posture to access sensitive repositories, modify code, or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating rogue OAuth applications or adding unauthorized users to the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling security features in GitHub can lead to severe consequences. A successful attack can result in unauthorized access to sensitive code repositories, intellectual property theft, and data breaches. Disabling two-factor authentication makes accounts more vulnerable to credential stuffing and phishing attacks. The scope can range from a single repository to an entire organization, impacting hundreds or thousands of users and projects. The financial and reputational damage to the organization can be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGithub High Risk Configuration Disabled\u003c/code\u003e to detect the disabling of critical security features by monitoring GitHub audit logs.\u003c/li\u003e\n\u003cli\u003eEnable audit log streaming as documented in the rule definition to ensure that the necessary logs are captured for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of security feature disabling to determine if they are legitimate administrator actions or malicious activity.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users, especially those with administrative privileges, and monitor for attempts to disable MFA.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate GitHub organization and repository settings to ensure that security features are enabled and configured correctly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-31T18:22:00Z","date_published":"2024-10-31T18:22:00Z","id":"/briefs/2024-11-github-security-disabled/","summary":"An administrator or privileged user disables critical security features within a GitHub organization or repository, potentially leading to increased risk of unauthorized access, data breaches, and persistent compromise.","title":"GitHub Security Feature Disablement","url":"https://feed.craftedsignal.io/briefs/2024-11-github-security-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Sysmon","Windows Installer"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","msiexec"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft"],"content_html":"\u003cp\u003eAdversaries may abuse the Windows Installer service (msiexec.exe) to proxy the execution of malicious payloads, effectively bypassing application control and other security mechanisms. This technique, known as \u0026ldquo;Msiexec\u0026rdquo; proxy execution (T1218.007), involves using msiexec.exe to execute malicious DLLs or scripts. The detection focuses on identifying child processes spawned by MsiExec, particularly those exhibiting network activity. This behavior is atypical for legitimate software installations and updates, making it a strong indicator of potential malicious use. Defenders should be aware of this technique as it allows attackers to blend in with legitimate system processes. The Elastic detection rule, updated on 2026-05-04, aims to identify this suspicious activity across multiple data sources including Elastic Defend, Sysmon, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eAttacker leverages msiexec.exe to execute a malicious MSI package with a \u003ccode\u003e/v\u003c/code\u003e parameter, commonly used to pass verbose logging options, potentially hiding malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSI package contains custom actions that execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process (e.g., powershell.exe, cmd.exe, or another executable) to carry out malicious actions.\u003c/li\u003e\n\u003cli\u003eThe child process establishes a network connection to an external server or performs DNS lookups, possibly for command and control (C2) communication or to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the network connection to download and execute further tools or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass application control and execute arbitrary code on the system. This can lead to malware installation, data theft, or complete system compromise. While the exact number of victims is not specified in the provided source, the technique can be applied across various sectors. The impact can range from individual workstation compromises to large-scale breaches affecting entire organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMsiExec Child Process with Unusual Executable and Network Connection\u003c/code\u003e to detect suspicious msiexec.exe child processes initiating network connections based on unusual executable paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and network connection logging (Event ID 3) to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process tree, command-line arguments, and network destinations.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations and automated deployment tools that use MsiExec and require network access to minimize false positives, as detailed in the \u0026ldquo;False positive analysis\u0026rdquo; section of the source material.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-msiexec-network-connection/","summary":"Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.","title":"MsiExec Child Process Spawning Network Connections for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-10-msiexec-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","hide-artifacts","alternate-data-stream"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the creation or execution of Alternate Data Streams (ADS) within the root directory of a volume on Windows systems. Attackers leverage this technique to conceal malicious tools or data, as ADSs created in this manner are not easily discoverable by standard system utilities. This method allows for the persistence and execution of malware while evading typical detection mechanisms. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel, providing broad coverage across different endpoint security solutions. Monitoring for ADS activity at the volume root is crucial to identify potential defense evasion attempts and hidden malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or program (e.g., PowerShell) to create a hidden ADS at the root of a volume (e.g., \u003ccode\u003eC:\\:evil.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe ADS is populated with malicious code, such as a reverse shell or malware payload.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool or script to execute the hidden ADS file. For example: \u003ccode\u003ewmic process call create \u0026quot;cmd.exe /c start C:\\:evil.exe\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the ADS executes, allowing the attacker to perform unauthorized actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hidden ADS to maintain persistence on the system, ensuring continued access even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker further leverages the compromised system to move laterally within the network, compromising additional systems and escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious tools and maintain persistence on compromised systems. The creation of ADSs at the volume root directory makes it difficult for administrators and security tools to detect the presence of malware. This can lead to prolonged compromise, data breaches, and significant disruption of business operations. The rule has a risk score of 47, and a medium severity is applied.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect ADS creation and execution at the volume root directory.\u003c/li\u003e\n\u003cli\u003eEnable logging for file creation events (Sysmon Event ID 11) and process creation events (Sysmon Event ID 1) for enhanced visibility into ADS activity.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules to determine the legitimacy of ADS creation or execution, focusing on processes and file paths that match the \u003ccode\u003e[A-Z]:\\\\:.+\u003c/code\u003e regex pattern in the rule query.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for hidden ADS files using specialized tools to uncover any potential malicious files.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications and prevent the creation of malicious ADSs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-08T12:00:00Z","date_published":"2024-07-08T12:00:00Z","id":"/briefs/2024-07-root-dir-ads-creation/","summary":"Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.","title":"Alternate Data Stream Creation/Execution at Volume Root Directory","url":"https://feed.craftedsignal.io/briefs/2024-07-root-dir-ads-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["System Center Configuration Manager"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","dll-hijacking","sccm"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to hijack Windows user sessions by exploiting Microsoft\u0026rsquo;s System Center Configuration Manager (SCCM). This involves loading malicious DLLs into \u003ccode\u003eSCNotification.exe\u003c/code\u003e, a process responsible for user notifications within the SCCM framework. The vulnerability arises when \u003ccode\u003eSCNotification.exe\u003c/code\u003e loads untrusted DLLs, potentially impersonating a user session. This activity is often characterized by recent DLL file creation or modification, coupled with the DLL lacking a trusted code signature. The references indicate this technique has been discussed publicly, raising awareness and the potential for increased exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eAttacker places a malicious DLL on the system. This DLL may be disguised to appear legitimate.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the system to cause \u003ccode\u003eSCNotification.exe\u003c/code\u003e to load the malicious DLL. This may involve modifying registry keys or file paths.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSCNotification.exe\u003c/code\u003e loads the attacker-controlled DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes within the context of the \u003ccode\u003eSCNotification.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hijacked process to impersonate a user session.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to user accounts and data.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions under the guise of the compromised user, such as data exfiltration or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive data, privilege escalation, and further compromise of the network. Victims could experience data breaches, financial loss, or reputational damage. The impact depends on the extent of access gained by the attacker and the sensitivity of the data accessed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Windows Session Hijacking via CcmExec\u0026rdquo; to your SIEM to detect suspicious DLL loads by \u003ccode\u003eSCNotification.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on DLLs with recent file creation times or modifications (DLL timestamps) and untrusted signatures.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized DLLs from being loaded by \u003ccode\u003eSCNotification.exe\u003c/code\u003e as described in the remediation steps in the note section.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eSCNotification.exe\u003c/code\u003e and related processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to enhance visibility into process execution events, which activates the Sigma rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-sccm-dll-hijacking/","summary":"Adversaries may exploit Microsoft's System Center Configuration Manager by loading malicious DLLs into SCNotification.exe, a process associated with user notifications, potentially leading to Windows session hijacking.","title":"Potential Windows Session Hijacking via CcmExec","url":"https://feed.craftedsignal.io/briefs/2024-07-sccm-dll-hijacking/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Management Console File","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may exploit Microsoft Management Console (MMC) by executing .msc files from non-standard directories to bypass security controls. This technique can be used for initial access and execution. This detection focuses on identifying the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from paths outside the typical system directories, which are generally considered trusted. By monitoring process executions and filtering out known legitimate paths, analysts can identify potentially malicious activity related to the misuse of MMC. The rule aims to detect deviations from standard administrative practices that could indicate unauthorized access or command execution via malicious or compromised \u003ccode\u003e.msc\u003c/code\u003e files. The detection logic specifically excludes executions from common directories like \u003ccode\u003eSystem32\u003c/code\u003e, \u003ccode\u003eSysWOW64\u003c/code\u003e, and \u003ccode\u003eProgram Files\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious \u003ccode\u003e.msc\u003c/code\u003e file in an unusual or untrusted directory (e.g., \u003ccode\u003eC:\\Users\\Public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emmc.exe\u003c/code\u003e with the malicious \u003ccode\u003e.msc\u003c/code\u003e file as an argument from the untrusted path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emmc.exe\u003c/code\u003e processes the \u003ccode\u003e.msc\u003c/code\u003e file, potentially executing embedded commands or scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.msc\u003c/code\u003e file performs unauthorized actions on the system, such as modifying system settings or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the execution context of \u003ccode\u003emmc.exe\u003c/code\u003e to bypass security controls and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating a scheduled task or modifying registry keys to execute the malicious \u003ccode\u003e.msc\u003c/code\u003e file automatically.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access, command execution, and privilege escalation, potentially compromising the entire system. While specific victim counts or sector targeting are not available, the technique is applicable across various Windows environments. The use of a trusted system binary like \u003ccode\u003emmc.exe\u003c/code\u003e for malicious purposes can evade traditional security measures, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eMicrosoft Management Console File from Unusual Path\u003c/code\u003e to detect the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from untrusted paths.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the origin and content of the \u003ccode\u003e.msc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of \u003ccode\u003e.msc\u003c/code\u003e files to authorized directories only.\u003c/li\u003e\n\u003cli\u003eReview and audit the use of MMC in the environment to identify any legitimate use cases that might trigger false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-mmc-untrusted-path/","summary":"Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.","title":"Microsoft Management Console File Execution from Unusual Path","url":"https://feed.craftedsignal.io/briefs/2024-07-mmc-untrusted-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Endgame","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe DNS Global Query Block List (GQBL) is a Windows security feature designed to prevent the resolution of specific DNS names, commonly exploited in attacks like WPAD spoofing. Attackers who have obtained elevated privileges, such as DNSAdmin, can modify or disable this list to bypass security controls. This allows exploitation of hosts running WPAD with default settings. The modification of the GQBL can be used for privilege escalation and lateral movement within a network. This rule detects changes to the registry values associated with the GQBL, specifically \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; and \u0026ldquo;GlobalQueryBlockList.\u0026rdquo; This activity could indicate an attacker attempting to weaken defenses to facilitate further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain DNSAdmin rights.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; registry value to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000,\u0026rdquo; effectively disabling the GQBL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u0026ldquo;GlobalQueryBlockList\u0026rdquo; registry value to remove \u0026ldquo;wpad\u0026rdquo; from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled GQBL to conduct WPAD spoofing attacks, redirecting network traffic to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker captures user credentials transmitted during WPAD authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or disabling of the DNS Global Query Block List can lead to WPAD spoofing attacks, credential theft, lateral movement, and ultimately, complete compromise of the network. Attackers can leverage this technique to gain unauthorized access to sensitive data or systems. The impact includes potential data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification of DNS Global Query Block List\u003c/code\u003e to your SIEM to detect unauthorized changes to the GQBL configuration.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary events for the Sigma rule to function (reference the logsource in the rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict DNSAdmin privileges to only necessary accounts to minimize the attack surface (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual DNS queries or WPAD-related activity, correlating with registry modification events (reference: Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eRegularly audit registry settings related to DNS configuration, including the GQBL, to identify unauthorized modifications (reference: Attack Chain steps 3 \u0026amp; 4).\u003c/li\u003e\n\u003cli\u003eUpdate security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List (reference: Impact section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-dns-gqbl-modified/","summary":"Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.","title":"DNS Global Query Block List Modified or Disabled","url":"https://feed.craftedsignal.io/briefs/2024-07-dns-gqbl-modified/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-2892"}],"_cs_exploited":false,"_cs_products":["Otter Blocks plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","purchase-bypass","CVE-2026-2892","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin\u0026rsquo;s reliance on an unsigned cookie, \u0026lsquo;o_stripe_data\u0026rsquo;, to determine Stripe product ownership for unauthenticated users. The \u0026lsquo;get_customer_data\u0026rsquo; method uses this cookie, and the subsequent \u0026lsquo;check_purchase\u0026rsquo; method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block\u0026rsquo;s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version \u0026lt;= 3.1.4).\u003c/li\u003e\n\u003cli\u003eThe attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u0026lsquo;o_stripe_data\u0026rsquo; cookie containing the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie in their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the purchase-gated content on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;get_customer_data\u0026rsquo; method reads the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;check_purchase\u0026rsquo; method incorrectly validates the forged purchase data without server-side verification against the Stripe API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious cookie manipulation activity, specifically targeting the \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-24T12:00:00Z","date_published":"2024-06-24T12:00:00Z","id":"/briefs/2026-06-otter-blocks-bypass/","summary":"CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.","title":"Otter Blocks Plugin Purchase Verification Bypass Vulnerability (CVE-2026-2892)","url":"https://feed.craftedsignal.io/briefs/2026-06-otter-blocks-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2024-1709"},{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","ScreenConnect"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","defense-evasion","execution","persistence","screenconnect"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of suspicious activities related to the ScreenConnect remote access tool. ScreenConnect is a legitimate remote support software, but adversaries can exploit it to execute unauthorized commands on compromised systems. This detection identifies suspicious child processes spawned by ScreenConnect client processes, such as \u003ccode\u003eScreenConnect.ClientService.exe\u003c/code\u003e or \u003ccode\u003eScreenConnect.WindowsClient.exe\u003c/code\u003e, which can indicate malicious activities such as spawning PowerShell or cmd.exe with unusual arguments. This activity can indicate potential abuse of remote access capabilities, leading to data exfiltration, command and control communication, or the establishment of persistence mechanisms. Recent exploitation of CVE-2024-1709 and CVE-2024-1708 have highlighted the risk associated with ScreenConnect exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a system with ScreenConnect installed. This could be achieved through exploiting vulnerabilities like CVE-2024-1709 and CVE-2024-1708, or through credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ScreenConnect to connect to the compromised system remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the ScreenConnect interface to execute commands on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker spawns a command interpreter, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, using ScreenConnect. This process is a child process of the ScreenConnect client process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecmd.exe\u003c/code\u003e to execute malicious commands, such as downloading and executing a malicious payload.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker spawns \u003ccode\u003epowershell.exe\u003c/code\u003e with encoded commands or commands to download and execute malicious payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e or creates a new service using \u003ccode\u003esc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003enet.exe\u003c/code\u003e to modify user accounts or privileges to maintain access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, installation of malware, and establishment of persistent access to the compromised system. This can result in data theft, disruption of services, and further lateral movement within the network. The number of victims and specific sectors targeted varies depending on the attacker\u0026rsquo;s objectives, but the impact can be significant for organizations relying on ScreenConnect for remote support.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious child processes spawned by ScreenConnect and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for ScreenConnect client processes spawning suspicious child processes like \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, \u003ccode\u003esc.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003essh.exe\u003c/code\u003e, \u003ccode\u003escp.exe\u003c/code\u003e, \u003ccode\u003ewevtutil.exe\u003c/code\u003e, \u003ccode\u003ewget.exe\u003c/code\u003e, or \u003ccode\u003ewmic.exe\u003c/code\u003e as detailed in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data to activate the rules above.\u003c/li\u003e\n\u003cli\u003eReview and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like \u003ccode\u003enet.exe\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-16T16:10:00Z","date_published":"2024-05-16T16:10:00Z","id":"/briefs/2024-05-screenconnect-child-process/","summary":"This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.","title":"Suspicious ScreenConnect Client Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-05-screenconnect-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eParent process PID spoofing is a defense evasion technique where a process is created with a parent process ID (PPID) that differs from its actual creator. This can be used to circumvent process monitoring tools that rely on accurate parent-child relationships. Adversaries may leverage this technique to disguise malicious processes as legitimate system processes or to elevate privileges by associating malicious activities with trusted processes. The technique involves manipulating process creation APIs to set an arbitrary PPID. The Elastic Defend integration is designed to capture the necessary process telemetry to detect these discrepancies. This activity matters because it can allow attackers to hide their actions and persist on compromised systems undetected. The referenced Elastic detection rule was last updated on 2026/04/30, demonstrating continued relevance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the Windows system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eAttacker executes a malicious process, such as a script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious process uses API calls (e.g., \u003ccode\u003eCreateProcess\u003c/code\u003e, \u003ccode\u003eNtCreateProcessEx\u003c/code\u003e) to spawn a new process.\u003c/li\u003e\n\u003cli\u003eDuring process creation, the attacker modifies the PPID parameter to spoof a legitimate parent process.\u003c/li\u003e\n\u003cli\u003eThe new process is launched with the spoofed PPID, appearing as a child of the chosen parent.\u003c/li\u003e\n\u003cli\u003eThe spoofed process executes malicious code, potentially downloading additional payloads or establishing command and control.\u003c/li\u003e\n\u003cli\u003eThe adversary leverages the trusted appearance of the spoofed process to evade detection by security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, lateral movement, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful parent process PID spoofing can allow attackers to evade detection and maintain persistence on a compromised system. This can lead to data breaches, system compromise, and financial loss. While the number of victims and specific sectors targeted are not specified in the provided source material, the technique is applicable across various sectors and organizations utilizing Windows-based systems. The lack of detection can lead to prolonged dwell time, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Process Creation with PPID Spoofing\u003c/code\u003e to your SIEM to identify potential parent process PID spoofing attempts based on process telemetry data.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation events with parent-child relationships using Elastic Defend to capture the necessary data for the provided rule.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by examining the process tree and verifying the legitimacy of parent-child relationships as outlined in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint detection and response (EDR) solutions to identify and block suspicious processes spawned by common exploitation vectors like Office applications and script hosts, as these are often associated with PPID spoofing.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule, specifically the \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.executable\u003c/code\u003e lists, to match your organization\u0026rsquo;s baseline and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-09T14:22:00Z","date_published":"2024-05-09T14:22:00Z","id":"/briefs/2024-05-parent-process-spoofing/","summary":"Adversaries use parent process PID spoofing to evade detection by creating processes with mismatched parent-child relationships, hindering process monitoring and potentially elevating privileges on Windows systems.","title":"Windows Parent Process PID Spoofing Detection","url":"https://feed.craftedsignal.io/briefs/2024-05-parent-process-spoofing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Kubernetes"],"_cs_severities":["medium"],"_cs_tags":["stealth","defense-evasion","kubernetes"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers targeting Kubernetes environments may attempt to delete Kubernetes events as a means of covering their tracks. This technique, often employed after successful exploitation or lateral movement, aims to eliminate audit logs and other traces of malicious activity. By removing these logs, attackers can significantly hinder incident response efforts and prolong the duration of their access. While the specifics of initial access will vary, this action will typically be performed using kubectl or similar tools with sufficient privileges within the Kubernetes cluster. Defenders need to monitor for unexpected deletion of event logs to identify potentially compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a container or node within the Kubernetes cluster using an exploit (e.g., exploiting a vulnerability in a containerized application).\u003c/li\u003e\n\u003cli\u003eEstablish persistence by creating a malicious pod or modifying existing deployments to include backdoors.\u003c/li\u003e\n\u003cli\u003eEscalate privileges within the cluster, potentially by exploiting misconfigured RBAC policies or vulnerable service accounts.\u003c/li\u003e\n\u003cli\u003eIdentify Kubernetes event logs that contain evidence of the attacker\u0026rsquo;s activities, such as pod deployments, privilege escalation attempts, or network connections.\u003c/li\u003e\n\u003cli\u003eUse \u003ccode\u003ekubectl delete events\u003c/code\u003e command with appropriate privileges to remove targeted event logs from the Kubernetes audit logs.\u003c/li\u003e\n\u003cli\u003eVerify that the targeted event logs have been successfully removed from the cluster\u0026rsquo;s audit trail.\u003c/li\u003e\n\u003cli\u003eContinue lateral movement and data exfiltration, now with reduced risk of detection due to the deleted event logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Kubernetes events allows attackers to operate within the cluster undetected for extended periods. This can lead to significant data breaches, system compromise, and disruption of services. The absence of event logs makes forensic investigation and incident response extremely challenging, potentially leading to inaccurate assessments of the scope and impact of the attack. While the exact number of victims is unknown, this technique, if successful, significantly amplifies the damage caused by any initial intrusion.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Kubernetes Events Deleted\u0026rdquo; to your SIEM to detect event deletion attempts in your Kubernetes environment (logsource: application, product: kubernetes, service: audit).\u003c/li\u003e\n\u003cli\u003eReview and harden RBAC policies to minimize the risk of unauthorized event deletion.\u003c/li\u003e\n\u003cli\u003eImplement strong audit logging practices and ensure that audit logs are securely stored and protected from tampering.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T12:00:00Z","date_published":"2024-05-02T12:00:00Z","id":"/briefs/2024-05-kubernetes-events-deleted/","summary":"An adversary may delete Kubernetes events to evade detection and hide malicious activity within a Kubernetes environment by removing audit logs.","title":"Kubernetes Event Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-05-kubernetes-events-deleted/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta Identity Engine"],"_cs_severities":["high"],"_cs_tags":["okta","identity","privilege-escalation","persistence","defense-evasion","initial-access"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unusual behaviors within the Okta Admin Console, as identified by Okta\u0026rsquo;s heuristics. While the specific campaign details are unknown, identifying anomalous access patterns to the Admin Console is crucial for detecting various malicious activities. This includes potential privilege escalation by compromised accounts or insider threats attempting to gain elevated permissions, establishing persistence through unauthorized modifications, evading existing security controls, or gaining initial access through account compromise. The detection relies on Okta\u0026rsquo;s system logs which can signal unusual administrative activity. Defenders should prioritize monitoring and alerting on these events to quickly identify and respond to potential security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Okta account, possibly through credential phishing or brute-force attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to log in to the Okta Admin Console.\u003c/li\u003e\n\u003cli\u003eOkta\u0026rsquo;s behavior detection engine analyzes the login attempt, considering factors like the user\u0026rsquo;s location, device, and time of day.\u003c/li\u003e\n\u003cli\u003eThe system logs record a \u003ccode\u003epolicy.evaluate_sign_on\u003c/code\u003e event when a sign-on policy is evaluated.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etarget.displayName\u003c/code\u003e field within the log specifies \u0026ldquo;Okta Admin Console\u0026rdquo; indicating the user is attempting to access the administrative interface.\u003c/li\u003e\n\u003cli\u003eIf Okta identifies the behavior as unusual, the \u003ccode\u003edebugContext.debugData.behaviors\u003c/code\u003e or \u003ccode\u003edebugContext.debugData.logOnlySecurityData\u003c/code\u003e fields will contain \u0026ldquo;POSITIVE\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered based on the identified unusual behavior.\u003c/li\u003e\n\u003cli\u003eThe attacker, if successful in bypassing initial checks, may proceed to create new admin accounts, modify existing policies, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise of the Okta Admin Console can lead to significant damage, including unauthorized access to sensitive data, modification of security policies, creation of rogue administrator accounts, and ultimately, a complete takeover of the Okta environment. This can impact all applications and services integrated with Okta, potentially affecting thousands of users and causing significant financial and reputational damage. Early detection is crucial to limiting the scope and impact of such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eOkta Admin Console Unusual Behavior\u003c/code\u003e to your SIEM to detect suspicious Okta Admin Console access based on Okta\u0026rsquo;s internal behavior analysis.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the unusual behavior is legitimate or indicative of malicious activity.\u003c/li\u003e\n\u003cli\u003eReview Okta\u0026rsquo;s System Log API documentation to understand the various event types and data fields available for monitoring and detection.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Okta accounts, especially administrator accounts, to mitigate the risk of account compromise (related to initial access).\u003c/li\u003e\n\u003cli\u003eMonitor Okta\u0026rsquo;s security advisories and announcements for updates on emerging threats and recommended security practices (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T10:00:00Z","date_published":"2024-05-02T10:00:00Z","id":"/briefs/2024-05-okta-admin-console-behaviors/","summary":"This brief details detection of anomalous activity within the Okta Admin Console, potentially indicating privilege escalation, persistence, defense evasion, or initial access attempts by malicious actors.","title":"Okta Admin Console Unusual Behavior Detection","url":"https://feed.craftedsignal.io/briefs/2024-05-okta-admin-console-behaviors/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Microsoft Teams","Google Chrome","Mozilla Firefox","Opera","Cisco WebEx","Discord","WhatsApp","Zoom","Brave Browser","Slack","thunderbird.exe"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft","Google","Mozilla","Opera","Cisco","Discord","WhatsApp","Zoom","Brave"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches a communication application (e.g., Slack, Teams, Webex).\u003c/li\u003e\n\u003cli\u003eThe communication application executes a vulnerable or compromised component.\u003c/li\u003e\n\u003cli\u003eThe compromised component spawns a child process (e.g., powershell.exe, cmd.exe).\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or script.\u003c/li\u003e\n\u003cli\u003eThe script attempts to download additional payloads from an external source.\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the system.\u003c/li\u003e\n\u003cli\u003eData exfiltration or lateral movement within the network occurs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization\u0026rsquo;s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker\u0026rsquo;s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Communication App Child Process\u003c/code\u003e to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e, product: \u003ccode\u003ewindows\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eEnsure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eExamine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-suspicious-comm-app-child-process/","summary":"The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.","title":"Suspicious Child Processes from Communication Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eNetwork Level Authentication (NLA) is a security feature in Windows that requires users to authenticate before establishing a full RDP session, adding an extra layer of protection against unauthorized access. Attackers might attempt to disable NLA to gain access to the Windows sign-in screen without proper authentication. This tactic can facilitate the deployment of persistence mechanisms, such as leveraging Accessibility Features like Sticky Keys, or enable unauthorized remote access. This brief addresses the registry modifications associated with disabling NLA and provides detection strategies to identify such attempts. The references indicate that this technique is used in conjunction with other attacks for lateral movement within a compromised network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system is gained (potentially via compromised credentials or vulnerability exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to modify system-level settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\u003c/code\u003e to disable NLA.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUserAuthentication\u003c/code\u003e value is set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish an RDP connection to the compromised system.\u003c/li\u003e\n\u003cli\u003eDue to the disabled NLA, the attacker bypasses the initial authentication screen.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages accessibility features (e.g., Sticky Keys) for persistence or further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of NLA allows attackers to bypass authentication and gain unauthorized access to systems via RDP. This can lead to data theft, malware installation, or further lateral movement within the network. While the exact number of victims and sectors targeted are unspecified, the potential impact includes significant data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation and registry event logging to detect the registry modifications (Elastic Defend, Elastic Endgame, Microsoft Defender XDR, SentinelOne, Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to modify the \u003ccode\u003eUserAuthentication\u003c/code\u003e registry key (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eReview and harden RDP configurations across the environment to prevent unauthorized access (Microsoft documentation).\u003c/li\u003e\n\u003cli\u003eMonitor endpoint security policies to detect unauthorized registry modifications (Endpoint Security Policies).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-disable-nla/","summary":"Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.","title":"Network-Level Authentication (NLA) Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-nla/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can try to cover their tracks by clearing the PowerShell console history on Windows systems. PowerShell offers multiple ways to log commands, including the built-in history and the command history managed by the PSReadLine module. This activity is often part of post-compromise behavior aimed at evading detection and forensic analysis. This rule detects the execution of specific commands that clear the built-in PowerShell logs or delete the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file. The rule focuses on PowerShell activity and covers scenarios where commands like Clear-History, Remove-Item, rm, and Set-PSReadlineOption are used to manipulate command history.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unspecified method, potentially exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to perform reconnaissance and other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to clear the PowerShell command history using the \u003ccode\u003eClear-History\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker attempts to remove the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file using \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e, which stores the PSReadLine command history.\u003c/li\u003e\n\u003cli\u003eAnother method involves using the \u003ccode\u003eSet-PSReadlineOption\u003c/code\u003e cmdlet with the \u003ccode\u003eSaveNothing\u003c/code\u003e parameter to prevent the saving of future command history.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage other tools and techniques to further obscure their activities and maintain persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network to increase their impact.\u003c/li\u003e\n\u003cli\u003eThe final objective is data exfiltration, deployment of ransomware, or other malicious activities, all while attempting to evade detection by clearing logs and command history.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of console history hinders forensic investigations and incident response efforts. If command history is cleared, administrators will have difficulty reconstructing the attacker\u0026rsquo;s actions and identifying the extent of the compromise. This can lead to prolonged incident response times, increased damage, and potential for further exploitation of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Clearing PowerShell History\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003eClear-History\u003c/code\u003e cmdlet, potentially indicating an attempt to remove command history.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Removal of PowerShell History File\u003c/code\u003e to detect the use of \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e command against the PowerShell history file.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and auditing policies to ensure adequate visibility into PowerShell activity as described in the \u003ca href=\"https://ela.st/audit-process-creation\"\u003esetup instructions\u003c/a\u003e to improve detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-clearing-console-history/","summary":"Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.","title":"Windows Console History Clearing","url":"https://feed.craftedsignal.io/briefs/2024-01-30-clearing-console-history/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers often attempt to modify file or directory ownership to bypass access controls and gain unauthorized access to sensitive data or system resources. This involves altering permissions associated with critical files or directories, granting broader access to accounts under attacker control or resetting permissions to default values which might be more permissive. This defense evasion technique can be used to establish persistence, escalate privileges, or exfiltrate data without triggering standard security alerts. The common tools used include \u003ccode\u003eicacls.exe\u003c/code\u003e and \u003ccode\u003etakeown.exe\u003c/code\u003e, typically targeting files within the \u003ccode\u003eC:\\Windows\\\u003c/code\u003e directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an existing compromised account or vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003etakeown.exe /f \u0026lt;file\u0026gt;\u003c/code\u003e to take ownership of a target file or directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eicacls.exe \u0026lt;file\u0026gt; /reset\u003c/code\u003e to reset the ACL of the file or directory.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses \u003ccode\u003eicacls.exe \u0026lt;file\u0026gt; /grant Everyone:F\u003c/code\u003e to grant full control to everyone, weakening security.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the contents of the file, such as injecting malicious code or configuration changes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified file for persistence, such as a modified system DLL loaded at boot.\u003c/li\u003e\n\u003cli\u003eThe system executes the malicious code when the compromised file is accessed or executed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as maintaining persistence, escalating privileges, or executing arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising file and directory permissions can lead to significant security breaches. Successful attacks can allow unauthorized access to sensitive data, system instability, or the execution of malicious code with elevated privileges. This can affect any Windows environment where file permissions are improperly managed, with potential for widespread system compromise and data exfiltration. The impact is most severe on systems containing sensitive data or critical infrastructure components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003eicacls.exe\u003c/code\u003e and \u003ccode\u003etakeown.exe\u003c/code\u003e with suspicious arguments targeting system files (e.g., \u003ccode\u003eC:\\Windows\\*\u003c/code\u003e) to detect potential permission modification attempts using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Windows Security Auditing for file system changes to capture events related to permission modifications and ownership changes.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment, specifically focusing on processes modifying permissions on files within the \u003ccode\u003eC:\\Windows\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process execution chain and the target files being modified.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-system-file-ownership-change/","summary":"Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files, often using icacls.exe or takeown.exe to reset permissions on system files.","title":"System File Ownership Change for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-system-file-ownership-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lolbin","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert leverages Elastic\u0026rsquo;s ProblemChild integration to detect potential Living off the Land (LotL) attacks on Windows systems. The rule utilizes a combination of supervised and unsupervised machine learning models to identify parent processes spawning clusters of suspicious child processes. These child processes are flagged as having unusually high malicious probability scores, suggesting the use of LOLBins or other defense evasion techniques. The detection focuses on identifying groups of processes with the same parent process name where the aggregated malicious score for the cluster is unusually high, as determined by an unsupervised machine learning model. The rule is active as of October 2023, with updates through April 2026 and requires Elastic Stack version 9.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a legitimate, signed Windows binary (LOLBin) such as \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBin is used to execute malicious code or commands.\u003c/li\u003e\n\u003cli\u003eThe LOLBin spawns one or more child processes that perform malicious actions like reconnaissance or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe ProblemChild supervised ML model flags the child processes as having a high malicious probability score.\u003c/li\u003e\n\u003cli\u003eThe unsupervised ML model calculates an unusually high aggregate score for the cluster of child processes originating from the same parent process.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, identifying the suspicious parent-child process relationship.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using LOLBins can allow adversaries to bypass traditional signature-based detections and operate undetected within a network. The masquerading of malicious activity as legitimate system processes makes it difficult for security teams to identify and respond to threats effectively. The impact can range from data theft and system compromise to ransomware deployment, depending on the attacker\u0026rsquo;s objectives. The machine learning detection helps analysts to prioritize alerts which may otherwise be missed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration assets are installed within Elastic Security, as described in the \u0026ldquo;Setup\u0026rdquo; section of this brief.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Parent Process Detected with Suspicious Windows Process(es)\u0026rdquo; rule, focusing on the parent process name and the command-line arguments of the suspicious child processes (reference: Investigation Guide in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e value (currently 75) in the rule configuration based on your environment\u0026rsquo;s baseline activity to reduce false positives.\u003c/li\u003e\n\u003cli\u003eWhitelisting parent process names can mitigate false positives generated by legitimate administrative tools. (reference: False positive analysis in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field)\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging via Elastic Defend or Winlogbeat to ensure the rule has the necessary data to function (reference: Setup section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-suspicious-parent-process/","summary":"A machine learning model detected a parent process spawning a cluster of suspicious Windows processes with high malicious probability scores, potentially indicating LOLBins usage and defense evasion.","title":"Suspicious Windows Process Cluster from Parent Process via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-parent-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to load expired or revoked drivers to bypass security controls and execute code in kernel mode. This technique can be used for privilege escalation or defense evasion. The loading of such drivers, especially by the System process (PID 4), is a strong indicator of malicious activity. The referenced Elastic detection rule, last updated on May 4, 2026, aims to identify such attempts by monitoring the code signature status of loaded drivers on Windows systems. The rule focuses on identifying drivers with \u0026ldquo;errorExpired\u0026rdquo; or \u0026ldquo;errorRevoked\u0026rdquo; status, providing defenders with a means to detect potentially malicious activity related to driver manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through social engineering or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains or creates a malicious driver signed with an expired or revoked certificate, or an outdated driver with known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to load the malicious driver onto the targeted Windows system.\u003c/li\u003e\n\u003cli\u003eThe Windows operating system attempts to verify the driver\u0026rsquo;s code signature.\u003c/li\u003e\n\u003cli\u003eThe code signature verification fails due to the driver\u0026rsquo;s expired or revoked certificate.\u003c/li\u003e\n\u003cli\u003eDespite the signature failure, the attacker attempts to force the system to load the driver, possibly by exploiting a bypass or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe driver is loaded into kernel mode, granting the attacker elevated privileges and control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised driver to execute malicious code, escalate privileges, or evade security defenses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the loading of an expired or revoked driver can lead to complete system compromise. An attacker could gain unauthorized access to sensitive data, install malware, or disrupt critical services. The consequences range from data breaches to system instability and loss of integrity. The Elastic detection rule aims to detect these attempts before significant damage can occur.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect instances of expired or revoked drivers being loaded (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy and potential risk associated with the loaded driver (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eEnable endpoint detection and response (EDR) solutions like Elastic Defend to enhance visibility into driver loading events (reference: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eRegularly update driver blocklists to prevent the loading of known malicious or vulnerable drivers (reference: References URL).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual driver loading activity, particularly by the System process (PID 4) (reference: Sigma rule, process.pid == 4).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-expired-driver-load/","summary":"An expired or revoked driver being loaded on a Windows system may indicate an attempt to gain code execution in kernel mode or abuse revoked certificates for malicious purposes, potentially leading to privilege escalation or defense evasion.","title":"Expired or Revoked Driver Loaded","url":"https://feed.craftedsignal.io/briefs/2024-01-expired-driver-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","command-and-control","windows","msxsl"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eMsXsl.exe is a Windows utility designed to transform XML data using XSLT stylesheets. Adversaries are known to abuse this utility to execute malicious scripts, bypassing application control and other security measures. This behavior is often used as a defense evasion technique to download or execute malicious payloads. This activity has been observed since at least March 2020. The abuse of msxsl.exe allows attackers to establish command and control or exfiltrate sensitive data without being easily detected, as the tool is a signed Microsoft binary. This matters for defenders because it highlights the need to monitor legitimate system utilities for anomalous behavior, specifically network connections to external IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msxsl.exe to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eMsxsl.exe initiates a network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe script downloads a malicious payload from the external server.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a command and control channel through the network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker performs data exfiltration via the established C2 channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be used for further malicious activities, including data theft, lateral movement, and deployment of additional malware. Successful exploitation can lead to sensitive data exfiltration, disruption of services, or complete system compromise. The low risk score does not represent impact, but instead reflects that the behavior is not always malicious, and may be a feature of normal software operation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon network connection logging to monitor msxsl.exe network activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Network Connection via MsXsl\u0026rdquo; to your SIEM and tune for your environment to detect suspicious network connections originating from msxsl.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the destination IP address and the parent process of msxsl.exe.\u003c/li\u003e\n\u003cli\u003eWhitelist legitimate uses of msxsl.exe in your environment based on known good processes or applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T10:00:00Z","date_published":"2024-01-30T10:00:00Z","id":"/briefs/2024-01-msxsl-network-connection/","summary":"Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.","title":"MsXsl.exe Network Connection for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-msxsl-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","execution","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage scripting engines, such as \u003ccode\u003ewscript.exe\u003c/code\u003e and \u003ccode\u003ecscript.exe\u003c/code\u003e, to directly modify the Windows Registry. These scripting engines are often abused for malicious purposes, including establishing persistence, escalating privileges, or disabling security controls. These scripting engines can modify the registry without using standard tools like \u003ccode\u003eregedit.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e, making it harder to detect malicious registry changes. Defenders should be aware of processes using these engines to modify the registry, as this behavior is uncommon in legitimate software installations or administrative tasks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through social engineering or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script (VBScript, JScript) via \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script contains commands to modify specific registry keys, such as the Run key for persistence (T1547.001).\u003c/li\u003e\n\u003cli\u003eThe scripting engine process (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e) directly interacts with the Windows Registry to set the new values.\u003c/li\u003e\n\u003cli\u003eUpon system restart or user logon, the modified registry key triggers the execution of a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence on the compromised system, allowing for continued access and control.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the persistent access to perform lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access on compromised systems, enabling attackers to execute malicious code, steal sensitive information, or disrupt critical services. The registry modifications performed by scripting engines can bypass traditional security measures and make it difficult to detect and remediate the attack. This can result in significant data loss, financial damage, and reputational harm to affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Registry Tampering by Potentially Suspicious Processes\u0026rdquo; to your SIEM to detect suspicious registry modifications made by scripting engines.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Registry Tampering by Potentially Suspicious Processes\u0026rdquo; for unusual or unauthorized registry changes.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for modifications made by processes such as \u003ccode\u003ewscript.exe\u003c/code\u003e and \u003ccode\u003ecscript.exe\u003c/code\u003e (logsource: registry_event).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-susp-reg-mod/","summary":"The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.","title":"Suspicious Registry Modifications by Scripting Engines","url":"https://feed.craftedsignal.io/briefs/2024-01-29-susp-reg-mod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Elastic Endgame","Sysmon Event ID 11 - File Create"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","managed code","lolbin"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies suspicious managed code hosting processes on Windows systems. Attackers may leverage processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003esvchost.exe\u003c/code\u003e, \u003ccode\u003edllhost.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, and \u003ccode\u003eregsvr32.exe\u003c/code\u003e to execute malicious code, often bypassing traditional security controls. These processes can be abused to load and execute .NET assemblies or other managed code components. The detection focuses on identifying unusual file creation events associated with these processes which could indicate an attacker is attempting to leverage these processes for malicious purposes. This activity might be indicative of code injection, defense evasion, or other suspicious code execution techniques. The rule uses EQL to search for file events associated with specific processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a phishing email or compromised software.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a LOLBin such as \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to bypass application control.\u003c/li\u003e\n\u003cli\u003eThe LOLBin executes a malicious script or loads a malicious DLL from a user-writable location.\u003c/li\u003e\n\u003cli\u003eThe malicious script or DLL performs reconnaissance activities, such as gathering system information or enumerating network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker then attempts to escalate privileges by exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised process to download and execute additional malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system through scheduled tasks or registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network, compromising additional systems and exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal sensitive data, and establish persistence. The use of LOLBins can bypass application control, making detection more challenging. Depending on the scope of the attack, this could result in significant financial losses, reputational damage, and disruption of business operations. This is a high-severity finding due to the potential for attackers to gain full control over affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to collect the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Managed Code Hosting Process\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the file paths, process command lines, and parent processes involved.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected file creation events associated with processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e in user-writable directories.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of LOLBins and other potentially malicious processes.\u003c/li\u003e\n\u003cli\u003eCorrelate the detection with other security events to identify related malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-suspicious-managedcode-hosting/","summary":"This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.","title":"Suspicious Managed Code Hosting Process","url":"https://feed.craftedsignal.io/briefs/2024-01-29-suspicious-managedcode-hosting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies processes executing from directories that masquerade as the legitimate Windows Program Files directories. Attackers may create directories with similar names (e.g., \u0026ldquo;C:\\Program Files Bad\u0026rdquo; or \u0026ldquo;C:\\Program Files(x86) Malicious\u0026rdquo;) to host and execute malicious executables, bypassing security measures that trust the standard Program Files locations. This technique is particularly effective when combined with low-privilege accounts, as it allows attackers to evade detections that whitelist only the standard, trusted Program Files paths. The timeframe for this rule is the last 9 months. This matters to defenders because it highlights a common tactic used to bypass established trust relationships within the Windows operating system, requiring more granular inspection of process execution paths.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new directory that mimics the \u0026ldquo;Program Files\u0026rdquo; or \u0026ldquo;Program Files (x86)\u0026rdquo; directory (e.g., \u0026ldquo;C:\\Program Files Bad\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker copies or downloads malicious executable files into the newly created masquerading directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious executable from the masquerading directory.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the executable and begins its execution, potentially bypassing any allowlisting rules that only check the standard \u0026ldquo;Program Files\u0026rdquo; locations.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, repeating the masquerading technique on other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware infection, data theft, or complete system compromise. The impact is significant, as it undermines the trust placed in the \u0026ldquo;Program Files\u0026rdquo; directory and allows attackers to operate undetected for extended periods. While no specific victim counts are given, the technique is broadly applicable to any Windows environment, especially those relying on simple path-based allowlisting for security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProgram Files Directory Masquerading Detection\u003c/code\u003e to your SIEM to detect suspicious process executions from masquerading directories.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly review and update allowlisting rules to include more specific criteria beyond just the \u0026ldquo;Program Files\u0026rdquo; directory, such as file hashes or digital signatures.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and user accounts associated with the suspicious executions.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in the root directory to detect suspicious folders being created (file_event category)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-program-files-masquerading/","summary":"Adversaries may masquerade malicious executables within directories mimicking the legitimate Windows Program Files directory to evade defenses and execute untrusted code.","title":"Program Files Directory Masquerading","url":"https://feed.craftedsignal.io/briefs/2024-01-program-files-masquerading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","msiexec","remote-install"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAdversaries may abuse Windows Installer (msiexec.exe) to perform remote installations of malicious payloads. This technique is used for initial access, defense evasion, and execution of arbitrary code. The detection rule identifies attempts to install a file from a remote server using MsiExec. The rule looks for msiexec.exe processes running with arguments such as \u003ccode\u003e-i\u003c/code\u003e, \u003ccode\u003e/i\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, or \u003ccode\u003e/p\u003c/code\u003e, indicative of remote installations, and executed from suspicious parent processes like \u003ccode\u003esihost.exe\u003c/code\u003e, \u003ccode\u003eexplorer.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewmiprvse.exe\u003c/code\u003e, \u003ccode\u003epcalua.exe\u003c/code\u003e, \u003ccode\u003eforfiles.exe\u003c/code\u003e, and \u003ccode\u003econhost.exe\u003c/code\u003e. The rule includes exceptions to reduce false positives from legitimate software installations, specifically excluding command lines containing \u003ccode\u003e--set-server\u003c/code\u003e, \u003ccode\u003eUPGRADEADD\u003c/code\u003e, \u003ccode\u003e--url\u003c/code\u003e, \u003ccode\u003eUSESERVERCONFIG\u003c/code\u003e, \u003ccode\u003eRCTENTERPRISESERVER\u003c/code\u003e, \u003ccode\u003eapp.ninjarmm.com\u003c/code\u003e, \u003ccode\u003ezoom.us/client\u003c/code\u003e, \u003ccode\u003eSUPPORTSERVERSTSURI\u003c/code\u003e, \u003ccode\u003eSTART_URL\u003c/code\u003e, \u003ccode\u003eAUTOCONFIG\u003c/code\u003e, \u003ccode\u003eawscli.amazonaws.com\u003c/code\u003e, \u003ccode\u003e*/i \\\u0026quot;C:*\u003c/code\u003e, and \u003ccode\u003e*/i C:\\\\*\u003c/code\u003e. This technique can lead to complete system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line interpreter (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to initiate the \u003ccode\u003emsiexec.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emsiexec.exe\u003c/code\u003e process is launched with arguments that specify a remote MSI package (\u003ccode\u003e-i\u003c/code\u003e, \u003ccode\u003e/i\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e/p\u003c/code\u003e) and enable silent installation (\u003ccode\u003e/qn\u003c/code\u003e, \u003ccode\u003e-qn\u003c/code\u003e, \u003ccode\u003e-q\u003c/code\u003e, \u003ccode\u003e/q\u003c/code\u003e, \u003ccode\u003e/quiet\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emsiexec.exe\u003c/code\u003e process downloads the MSI package from a remote server over HTTP or HTTPS.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e executes the downloaded MSI package, which may contain malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, potentially performing actions such as installing malware, establishing persistence, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further actions, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive data, or disrupt system operations. A compromised system can be used as a pivot point to access other systems on the network. The impact can range from data breaches and financial losses to reputational damage and disruption of critical services. The number of potential victims depends on the scope of the initial access and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious MsiExec invocations with remote payloads.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the required data is available for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process, command-line arguments, and network connections associated with the \u003ccode\u003emsiexec.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for child processes spawned by \u003ccode\u003emsiexec.exe\u003c/code\u003e for anomalous activity.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emsiexec.exe\u003c/code\u003e to authorized users and processes only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"/briefs/2024-01-29-msiexec-remote-payload/","summary":"This rule detects attempts to install a file from a remote server using MsiExec, which adversaries may abuse to deliver malware, by identifying msiexec.exe processes running with arguments indicative of remote installations and executed from suspicious parent processes.","title":"Potential Remote Install via MsiExec","url":"https://feed.craftedsignal.io/briefs/2024-01-29-msiexec-remote-payload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Endpoint Security","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can disable the Antimalware Scan Interface (AMSI) to evade detection by modifying the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key. This technique is commonly employed to execute malicious scripts without triggering security warnings or blocks. The AMSI, a Windows feature, allows applications and services to request the scanning of potentially malicious content (e.g., PowerShell scripts, JScript) before execution. By setting the \u003ccode\u003eAmsiEnable\u003c/code\u003e value to 0, an attacker can disable AMSI for the current user, effectively bypassing real-time script scanning. This action is often a precursor to deploying further malicious payloads or establishing persistence on a compromised system. This behavior has been observed since at least 2019 and continues to be a relevant defense evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or binary that attempts to modify the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe script or binary uses \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell, or another tool to set the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry value to 0. The registry key location is typically \u003ccode\u003eHKEY_USERS\\\u0026lt;SID\u0026gt;\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter successfully disabling AMSI, the attacker proceeds to execute malicious scripts or code. These scripts may use \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious scripts download and execute additional payloads, such as malware or remote access tools (RATs).\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network using the compromised system as a pivot.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence, ensuring continued access to the system even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key allows attackers to execute malicious scripts without triggering AMSI alerts, leading to potential malware infections, data breaches, and system compromise. Disabling AMSI significantly reduces the effectiveness of endpoint security solutions, making the system more vulnerable to attack. The impact can range from individual workstation compromise to widespread network infections, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Registry Events\u003c/code\u003e to your SIEM to detect modifications to the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes modifying registry keys, especially \u003ccode\u003ereg.exe\u003c/code\u003e and PowerShell, using the rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Process Creation\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly to determine if the activity is malicious or legitimate.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted scripts and binaries.\u003c/li\u003e\n\u003cli\u003eHarden systems by restricting user permissions to modify critical registry keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:23:00Z","date_published":"2024-01-27T18:23:00Z","id":"/briefs/2024-01-amsi-registry-disable/","summary":"Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.","title":"AMSI Enable Registry Key Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-registry-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ads","file-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the creation of Alternate Data Streams (ADS) on Windows systems, a technique often employed by adversaries to conceal malicious code or data within seemingly benign files. Attackers leverage scripting engines and command interpreters to write ADS to various file types, including executables, documents, and media files. This activity is uncommon in legitimate workflows, making it a valuable indicator of potential compromise. The rule is designed to trigger on file creation events where the process creating the file is a known script or command interpreter (cmd.exe, powershell.exe, etc.) and the target file has a suspicious extension. The detection excludes common legitimate ADS usage patterns. This technique is used for defense evasion, allowing malware to persist without being easily detected by traditional security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command interpreter (cmd.exe, powershell.exe, etc.) or scripting engine (wscript.exe, cscript.exe) to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code creates an Alternate Data Stream (ADS) on a targeted file (e.g., an executable, document, or image). The targeted file\u0026rsquo;s extension could be pdf, dll, exe, dat, etc.\u003c/li\u003e\n\u003cli\u003eThe attacker hides malicious code or data within the ADS, making it less visible to standard file system scans and security tools. The ADS is written to a file path using the \u003ccode\u003eC:\\\\*:\\*\u003c/code\u003e syntax.\u003c/li\u003e\n\u003cli\u003eThe attacker may rename or clean up any staging files to further conceal their activity.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute the hidden code within the ADS, or use the ADS to store configuration data for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the ADS to store and execute malicious code, bypassing typical file-based security measures.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to maintain unauthorized access to the system, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious code within legitimate files, evading detection by traditional security measures. This can lead to prolonged persistence on compromised systems, enabling data theft, ransomware deployment, or other malicious activities. While the specific number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting a wide range of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious ADS File Creation via Cmd\u003c/code\u003e to detect ADS creation events initiated by cmd.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious ADS File Creation via PowerShell\u003c/code\u003e to detect ADS creation events initiated by powershell.exe.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 15 (FileCreateStreamHash) to provide detailed information about ADS creation events, as referenced in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the file paths, creating processes, and command-line arguments involved, as detailed in the rule\u0026rsquo;s triage and analysis notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:00:00Z","date_published":"2024-01-26T18:00:00Z","id":"/briefs/2024-01-ads-file-creation/","summary":"Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.","title":"Suspicious Alternate Data Stream (ADS) File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-ads-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers often abuse the \u003ccode\u003erundll32.exe\u003c/code\u003e utility to execute malicious Dynamic Link Libraries (DLLs), blending their activity with legitimate system operations. This detection identifies instances where \u003ccode\u003erundll32.exe\u003c/code\u003e establishes outbound network connections, particularly when executed without command-line arguments. Such behavior deviates from typical usage and may indicate command and control (C2) activity or other malicious actions. The rule is designed to detect command and control activity where adversaries are using \u003ccode\u003erundll32.exe\u003c/code\u003e without arguments to make external network connections. The rule uses data from Elastic Defend, Sysmon, and SentinelOne to detect this behavior. The rule specifically excludes connections to well-known private and reserved IP ranges to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a malicious DLL using \u003ccode\u003erundll32.exe\u003c/code\u003e without specifying arguments, which is an anomaly.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erundll32.exe\u003c/code\u003e is invoked with a command line resembling: \u003ccode\u003erundll32.exe \u0026lt;path_to_dll\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL initiates an outbound network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe network connection attempts to bypass firewall rules by masquerading as a legitimate system process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this connection to establish a command and control channel.\u003c/li\u003e\n\u003cli\u003eData exfiltration or further exploitation activities occur over the established C2 channel.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish command and control channels on compromised systems, leading to potential data exfiltration, lateral movement within the network, and deployment of ransomware. This can result in significant financial losses, reputational damage, and disruption of business operations. The impact is broad, affecting any Windows environment where \u003ccode\u003erundll32.exe\u003c/code\u003e is used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Unusual Network Connection via RunDLL32\u003c/code\u003e to your SIEM and tune for your environment to detect unusual network connections made by \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and network connection logging to capture necessary events for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes of \u003ccode\u003erundll32.exe\u003c/code\u003e and the destination IP addresses of the network connections.\u003c/li\u003e\n\u003cli\u003eReview and harden firewall rules to prevent unauthorized outbound connections from system processes like \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted DLLs via \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-rundll32-network-connection/","summary":"The rule detects unusual outbound network connections made by rundll32.exe, specifically when executed with minimal arguments, which may indicate command and control activity or defense evasion tactics on Windows systems.","title":"Unusual Network Connection via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2024-01-rundll32-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["initial-access","privilege-escalation","defense-evasion","persistence","gworkspace"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis brief focuses on detecting suspicious login activity within Google Workspace environments, as flagged by Google\u0026rsquo;s internal risk assessment mechanisms. Google Workspace logs login events and classifies them based on various risk factors, including the use of less secure applications, programmatic logins, and other anomalies. This detection capability is crucial for identifying potential compromises, unauthorized access attempts, and malicious activities within the Google Workspace ecosystem. Analyzing these flagged events allows security teams to proactively respond to threats before they escalate, preventing data breaches and maintaining the integrity of sensitive information. This alert focuses on logins classified as \u0026lsquo;suspicious_login_less_secure_app\u0026rsquo;, \u0026lsquo;suspicious_login\u0026rsquo;, and \u0026lsquo;suspicious_programmatic_login\u0026rsquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access using compromised credentials or brute-force techniques targeting Google Workspace accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLogin Attempt:\u003c/strong\u003e The attacker attempts to log in to a Google Workspace account using a less secure application (e.g., an older email client without modern authentication) or via programmatic login.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuspicious Activity Detection:\u003c/strong\u003e Google\u0026rsquo;s internal systems analyze the login attempt and flag it as suspicious based on various risk factors, such as unusual location, time of day, or login method.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Logging:\u003c/strong\u003e Google Workspace logs the suspicious login event, including the reason for the classification (e.g., \u0026lsquo;suspicious_login_less_secure_app\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Privilege Escalation:\u003c/strong\u003e Upon successful login, the attacker may attempt to escalate privileges within the Google Workspace environment to gain broader access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker might use techniques to evade detection, such as disabling security features or modifying audit logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new accounts, modifying existing ones, or installing malicious apps.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Malicious Activity:\u003c/strong\u003e The attacker uses the compromised account to exfiltrate sensitive data or perform other malicious activities, such as sending phishing emails.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data stored within Google Workspace, including emails, documents, and other files. This can result in data breaches, financial loss, and reputational damage. The number of affected users depends on the scope of the compromised account and the attacker\u0026rsquo;s ability to escalate privileges. Targeted sectors are broad, affecting any organization relying on Google Workspace for collaboration and data storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious login activity classified by Google Workspace (logsource: \u003ccode\u003egcp\u003c/code\u003e, service: \u003ccode\u003egoogle_workspace.login\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the login attempt and take appropriate action, such as resetting passwords or disabling compromised accounts.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all Google Workspace accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eDisable or restrict the use of less secure apps within Google Workspace to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor Google Workspace audit logs for other suspicious activities, such as unusual file access or data exfiltration attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-26-gworkspace-suspicious-login/","summary":"Detect Google Workspace login activity that Google has classified as suspicious, potentially indicating initial access, privilege escalation, defense evasion, or persistence attempts.","title":"Google Workspace Suspicious Login Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-26-gworkspace-suspicious-login/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Diagnostics Troubleshooting Wizard (MSDT)","Microsoft Defender XDR"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","msdt","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a built-in Windows tool used for troubleshooting various system issues. Attackers can abuse MSDT to proxy malicious command or binary execution through carefully crafted process arguments, evading traditional defense mechanisms. This technique leverages the trust associated with a signed Microsoft binary (msdt.exe) to execute arbitrary commands. The detection rule identifies suspicious MSDT executions based on command-line arguments, filename discrepancies, and unusual process relationships. This activity has been observed since at least May 2022 and continues to be a relevant defense evasion technique. Defenders should monitor for unusual invocations of MSDT, especially when launched from untrusted sources or with suspicious arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access via an unspecified vector (e.g., phishing, drive-by download).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a malicious document or script to invoke \u003ccode\u003emsdt.exe\u003c/code\u003e with specific arguments.\u003c/li\u003e\n\u003cli\u003eMSDT is executed with a crafted \u003ccode\u003eIT_RebrowseForFile\u003c/code\u003e or \u003ccode\u003eIT_BrowseForFile\u003c/code\u003e parameter containing a malicious payload.\u003c/li\u003e\n\u003cli\u003eAlternatively, MSDT is executed with \u003ccode\u003e-af /skip\u003c/code\u003e and a path to a malicious \u003ccode\u003ePCWDiagnostic.xml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eMSDT processes the malicious input, leading to the execution of attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally through the network, compromising additional systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls and execute arbitrary code on compromised systems. This can lead to data theft, system compromise, and further propagation of the attack within the network. The defense evasion tactic can obscure malicious activities, making it more difficult to detect and respond to incidents. Depending on the user\u0026rsquo;s privileges, the attacker might gain elevated privileges on the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect suspicious MSDT executions based on process arguments, filename discrepancies, and unusual parent-child relationships.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003emsdt.exe\u003c/code\u003e with arguments containing \u003ccode\u003eIT_RebrowseForFile=*\u003c/code\u003e, \u003ccode\u003e*FromBase64*\u003c/code\u003e, or \u003ccode\u003e*/../../../*\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process command line, parent process, and any spawned child processes.\u003c/li\u003e\n\u003cli\u003eBlock execution of \u003ccode\u003emsdt.exe\u003c/code\u003e from non-standard paths as highlighted in the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T14:23:00Z","date_published":"2024-01-25T14:23:00Z","id":"/briefs/2024-01-25-msdt-abuse/","summary":"This rule detects potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments on Windows systems.","title":"Suspicious Microsoft Diagnostics Wizard Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-25-msdt-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies anomalous creation or modification of executable files by critical Windows system processes, like \u003ccode\u003esmss.exe\u003c/code\u003e, \u003ccode\u003ecsrss.exe\u003c/code\u003e, and \u003ccode\u003elsass.exe\u003c/code\u003e. Attackers may attempt to leverage these processes to evade detection, and the rule is designed to detect such activities. The rule leverages data from Elastic Defend, Microsoft Defender XDR, SentinelOne, CrowdStrike, and Sysmon. It provides investigation steps to help analysts triage and analyze potential incidents, focusing on the identity of the writing process, its lineage, and the characteristics of the written file. This rule is designed to detect potential remote code execution or other forms of exploitation targeting Windows systems. The rule logic excludes specific legitimate file paths to minimize false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a system critical process to create or modify an executable file.\u003c/li\u003e\n\u003cli\u003eThe created/modified file may be a backdoor, malware component, or a tool for further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the created executable to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created executable to perform lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution with elevated privileges. The number of victims is dependent on the scope of the initial compromise. The targeted sectors include any organization running vulnerable Windows systems. If the attack succeeds, the adversary can gain full control over the system, leading to data theft, system disruption, or further propagation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Unusual Executable File Creation by a System Critical Process\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to enhance detection capabilities (see setup instructions in the rule source).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the writing process\u0026rsquo;s identity, lineage, and the characteristics of the written file as detailed in the rule\u0026rsquo;s triage and analysis section.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with other endpoint and network activity to identify the scope of the potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-unusual-executable-file-creation/","summary":"The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.","title":"Unusual Executable File Creation by a System Critical Process","url":"https://feed.craftedsignal.io/briefs/2024-01-25-unusual-executable-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eAdversaries may use masquerading techniques to evade defenses and blend into the environment by manipulating the name or location of a file, tricking users into executing malicious code disguised as a benign file type. This rule detects the creation of executable files with multiple extensions, a common method of masquerading. The rule focuses on identifying suspicious file creations that use misleading extensions, specifically targeting files with an \u0026ldquo;.exe\u0026rdquo; extension preceded by common benign extensions. It excludes known legitimate processes to minimize false positives. This activity is relevant for defenders to identify potential threats where adversaries attempt to bypass security measures by disguising malicious files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious executable file with a double extension (e.g., \u0026ldquo;document.pdf.exe\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user downloads or receives the file and attempts to open it.\u003c/li\u003e\n\u003cli\u003eWindows displays the file with the first extension (\u0026ldquo;document.pdf\u0026rdquo;) by default, misleading the user.\u003c/li\u003e\n\u003cli\u003eUpon execution, Windows recognizes the \u0026ldquo;.exe\u0026rdquo; extension and executes the file.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs, potentially deploying malware or performing other unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence or attempts lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware infection, data breaches, and system compromise. This technique bypasses common file type restrictions and user awareness, potentially affecting a wide range of users and systems. While the number of victims is not specified, the impact can be significant, particularly in organizations where users handle sensitive data. The affected sectors are broad, encompassing any organization where users are susceptible to social engineering attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Executable File Creation with Multiple Extensions\u0026rdquo; to your SIEM and tune for your environment to detect the creation of suspicious files with multiple extensions.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) for comprehensive file creation monitoring to improve the effectiveness of the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with double file extensions and encourage caution when opening attachments from unknown sources.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations that may create executables with multiple extensions to reduce false positives, as described in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-executable-file-creation-multiple-extensions/","summary":"Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.","title":"Executable File Creation with Multiple Extensions","url":"https://feed.craftedsignal.io/briefs/2024-01-executable-file-creation-multiple-extensions/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender Advanced Threat Protection"],"_cs_severities":["high"],"_cs_tags":["process injection","powershell","defense evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying PowerShell scripts that combine specific Win32 API calls, often used in process injection and in-memory payload execution techniques. Attackers use PowerShell, a ubiquitous scripting language in Windows environments, to inject malicious code into other processes, bypassing traditional security controls. The rule specifically targets API combinations related to memory allocation (VirtualAlloc, VirtualAllocEx), memory protection (VirtualProtect), process access (OpenProcess), dynamic library loading (LdrLoadDll, LoadLibrary), and thread manipulation (CreateRemoteThread, NtCreateThreadEx). The rule excludes script activity originating from within Microsoft Defender Advanced Threat Protection directories, reducing false positives. This technique is valuable to attackers seeking to evade detection and execute malicious code stealthily. The detection logic is based on observing specific API combinations, commonly seen in tools like Empire.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses \u003ccode\u003eOpenProcess\u003c/code\u003e to gain access to a target process.\u003c/li\u003e\n\u003cli\u003eThe script then uses \u003ccode\u003eVirtualAllocEx\u003c/code\u003e to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWriteProcessMemory\u003c/code\u003e is used to write malicious code into the allocated memory.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eCreateRemoteThread\u003c/code\u003e or \u003ccode\u003eNtCreateThreadEx\u003c/code\u003e to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as credential dumping or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of another process, often a legitimate one. This can lead to credential theft, privilege escalation, data exfiltration, or the deployment of ransomware. The impact is significant, as it allows attackers to bypass security controls and operate stealthily. While the number of victims is unknown, the widespread use of PowerShell makes this a potentially widespread threat. Successful attacks can compromise sensitive data, disrupt business operations, and damage an organization\u0026rsquo;s reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events (4104) for this detection to function as described in the setup instructions \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious PowerShell scripts indicative of process injection. Tune the rules based on your environment\u0026rsquo;s baseline activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the reconstructed script content, target process, and execution context. Refer to the investigation guide section for triage steps.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious API calls related to process injection, as described in the rule\u0026rsquo;s \u003ccode\u003equery\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-24-posh-process-injection/","summary":"This detection identifies PowerShell scripts leveraging Win32 APIs for memory allocation, process access, and thread creation, indicative of potential process injection or in-memory payload execution on Windows systems.","title":"Potential Process Injection via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-24-posh-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Security Agent"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","registry modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro"],"content_html":"\u003cp\u003eAttackers commonly disable Windows Defender to evade detection and facilitate malicious activities. This involves modifying specific registry settings to either disable the service entirely or prevent it from starting automatically. The rule specifically identifies modifications to the \u003ccode\u003eDisableAntiSpyware\u003c/code\u003e and \u003ccode\u003eWinDefend\\\\Start\u003c/code\u003e registry keys. The DFIR Report has documented this technique in real-world incidents, highlighting its effectiveness in bypassing built-in security measures. This allows threat actors to operate with reduced risk of detection, enabling them to deploy malware, exfiltrate data, or perform other malicious actions without immediate interference from the endpoint security solution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to obtain the necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\u003c/code\u003e registry key to disable Windows Defender, setting its value to \u0026ldquo;1\u0026rdquo; or \u0026ldquo;0x00000001\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u003ccode\u003eHKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\u003c/code\u003e registry key to prevent the Windows Defender service from starting automatically. The attacker sets the value to \u0026ldquo;3\u0026rdquo; or \u0026ldquo;4\u0026rdquo; (or their hexadecimal equivalents \u0026ldquo;0x00000003\u0026rdquo;, \u0026ldquo;0x00000004\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker verifies that Windows Defender is disabled by checking the Security Center or attempting to run a scan.\u003c/li\u003e\n\u003cli\u003eWith Windows Defender disabled, the attacker proceeds to deploy malware or execute malicious commands without interference from the antivirus software.\u003c/li\u003e\n\u003cli\u003eThe attacker may further disable security settings and block security-related indicators.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, this attack can lead to a complete compromise of the affected system. With Windows Defender disabled, the system becomes vulnerable to malware infections, data exfiltration, and other malicious activities. This can result in financial losses, data breaches, and reputational damage for the targeted organization. The lack of immediate detection allows attackers to establish persistence and expand their foothold within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Registry Modification to Disable Windows Defender\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized changes to Windows Defender registry settings.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\u003c/code\u003e and \u003ccode\u003eHKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\u003c/code\u003e registry keys using the provided log sources.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process and user account responsible for the registry modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-defender-registry-disable/","summary":"Attackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.","title":"Windows Defender Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-registry-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","lolbins","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from an Elastic machine learning job named \u003ccode\u003eproblem_child_rare_process_by_parent_ea\u003c/code\u003e designed to detect Living off the Land (LotL) attacks on Windows systems. The model identifies processes spawned by parent processes that are statistically rare and have a high probability of being malicious based on the \u0026ldquo;ProblemChild\u0026rdquo; supervised learning model. This approach aims to uncover malicious activities that utilize legitimate system binaries (LOLbins) for nefarious purposes, effectively bypassing traditional signature-based detections. The alert relies on Windows process events collected by Elastic Defend or Winlogbeat with the LotL Attack Detection integration. This detection method becomes particularly important as attackers increasingly rely on existing tools to blend in with normal system activity and avoid raising suspicion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access via unspecified means (e.g., phishing, compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker leverages a legitimate system binary (LOLbin) such as \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLbin is used to execute a malicious payload or script.\u003c/li\u003e\n\u003cli\u003eThe malicious process is spawned as a child process of the LOLbin.\u003c/li\u003e\n\u003cli\u003eElastic\u0026rsquo;s machine learning model identifies the child process as rare and potentially malicious based on its parent-child relationship and other features.\u003c/li\u003e\n\u003cli\u003eThe rare process executes malicious commands, possibly downloading further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack utilizing LOLbins can lead to significant compromise, including data theft, system disruption, and further propagation within the network. The reliance on trusted system binaries makes these attacks difficult to detect with traditional methods, potentially allowing attackers to operate undetected for extended periods. The impact is directly correlated to the privileges of the initial compromised account and the effectiveness of lateral movement techniques employed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, as described in the rule\u0026rsquo;s \u003ccode\u003esetup\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview the parent and child process names identified in the alert to determine if they are legitimate applications or associated with LOLbins, as detailed in the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eInvestigate the command-line arguments used by the suspicious process for potentially malicious commands or scripts as described in the rule \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e setting in the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to reduce false positives, as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement exceptions for legitimate administrative tools and software updates to reduce false positives, as mentioned in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-unusual-process-spawn/","summary":"A machine learning job detected a suspicious Windows process, predicted malicious by the ProblemChild model and flagged as an unusual child process name for its parent, potentially indicating LOLbins usage and evading traditional detection.","title":"Unusual Process Spawned by a Parent Process via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-process-spawn/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","privilege-escalation","process-injection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eSvchost.exe (Service Host) is a critical Windows process responsible for hosting various Windows services. Attackers frequently target svchost.exe to disguise malicious activity, using techniques like process injection or file masquerading. By injecting malicious code into a legitimate svchost.exe process or creating a fake svchost.exe executable, attackers can evade detection and escalate privileges. This can be done by spawning the process with unusual arguments to trick the OS or a user. Detecting these anomalies is crucial for identifying potentially compromised systems. The attacks documented leveraging this technique started to gain prominence around 2018 and are still relevant in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable or script to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a legitimate svchost.exe process. Alternatively, the attacker may copy the svchost.exe executable and rename it, placing it in a different directory.\u003c/li\u003e\n\u003cli\u003eThe injected code or masqueraded executable executes with unusual command-line arguments, deviating from the standard \u0026ldquo;-k \u003cservicegroup\u003e\u0026rdquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe malicious svchost process performs unauthorized actions, such as establishing network connections, modifying files, or creating new processes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges of the svchost process to further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by modifying registry keys or scheduling tasks.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, lateral movement, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised svchost.exe processes can lead to significant system instability and data breaches. Attackers may leverage these processes to gain complete control over affected systems, potentially impacting hundreds or thousands of machines in a network. The consequences can include data theft, financial losses, and reputational damage. Ransomware groups, such as BlackByte/Exbyte, and APT groups, like APT41, have been observed using similar techniques to evade detection and achieve their objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Uncommon Svchost Command Line Parameter\u0026rdquo; to your SIEM to detect anomalous svchost.exe processes based on command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine if they are indicative of malicious activity.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically capturing command-line arguments, to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized executables, including masqueraded svchost.exe instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-svchost-uncommon-params/","summary":"Detection of svchost.exe executing with uncommon command-line parameters, excluding known legitimate patterns, which may indicate file masquerading, process injection, or process hollowing.","title":"Uncommon Svchost Command Line Parameters Indicate Potential Masquerading or Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-23-svchost-uncommon-params/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","masquerading","autoit","autohotkey","kix32","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eMalware operators often rename legitimate system and scripting tools to blend in with normal system processes and bypass security measures. This rule specifically detects instances where automation script interpreters like AutoIt, AutoHotkey, and KIX32 have been renamed. By comparing the process name against the original file name embedded in the executable, this detection identifies potential attempts to masquerade malicious scripts as legitimate software. This technique is employed to bypass application whitelisting and other security controls that rely on file names or process names for identification and authorization. This detection is relevant for any Windows environment where these scripting tools are used, as it can highlight potentially malicious activity masked by a common evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops a malicious script (e.g., AutoIt, AutoHotkey, or KIX32 script) onto the target machine.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the legitimate AutoIt, AutoHotkey, or KIX32 interpreter executable to a non-standard name (e.g., \u0026ldquo;svchost.exe\u0026rdquo; or \u0026ldquo;wininit.exe\u0026rdquo;) to masquerade as a legitimate process.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed interpreter, which in turn executes the malicious script.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions, such as downloading additional malware, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system for lateral movement within the network or for data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence on the system to ensure continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful renaming of script interpreters allows attackers to execute malicious scripts undetected, potentially leading to data theft, system compromise, or further propagation within the network. The impact can range from minor disruption to significant financial loss and reputational damage, depending on the attacker\u0026rsquo;s objectives and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Renamed AutoIt Interpreter\u0026rdquo; to your SIEM to detect when AutoIt executables are renamed, focusing on \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Renamed AutoHotkey Interpreter\u0026rdquo; to your SIEM to detect when AutoHotkey executables are renamed, focusing on \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process metadata, as referenced in the rule \u003ccode\u003elogsource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the renamed executable and its associated activity as described in the \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-renamed-autoit/","summary":"Detects the renaming of automation script interpreter processes like AutoIt, AutoHotkey, and KIX32, a tactic used by malware operators to evade detection by obscuring the true nature of the executable.","title":"Renamed Automation Script Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-autoit/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["KMS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","kms","privilege-escalation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis rule detects the successful execution of the \u003ccode\u003ePutKeyPolicy\u003c/code\u003e API call within Amazon Web Services Key Management Service (AWS KMS). The \u003ccode\u003ePutKeyPolicy\u003c/code\u003e action replaces the entire key policy associated with a KMS key, potentially granting new or expanded permissions to principals. An adversary who gains the ability to modify KMS key policies (\u003ccode\u003ekms:PutKeyPolicy\u003c/code\u003e) can escalate privileges by adding external accounts or roles, allowing them to decrypt data protected by the key or maintain persistent access even after credential rotation. This activity is crucial to monitor, as it can lead to significant data breaches and unauthorized access to sensitive information. The rule focuses on identifying deviations from expected KMS key policy management practices to detect potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an AWS account or obtains IAM credentials with sufficient permissions, including \u003ccode\u003ekms:PutKeyPolicy\u003c/code\u003e on a target KMS key.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to call the \u003ccode\u003ePutKeyPolicy\u003c/code\u003e API, replacing the existing key policy with a modified version.\u003c/li\u003e\n\u003cli\u003eThe modified key policy grants the attacker\u0026rsquo;s AWS account, or an external account, permissions to perform cryptographic operations on the key, such as \u003ccode\u003ekms:Decrypt\u003c/code\u003e or \u003ccode\u003ekms:GenerateDataKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the newly granted permissions to decrypt data encrypted with the KMS key, such as data stored in S3 buckets or EBS volumes.\u003c/li\u003e\n\u003cli\u003eThe attacker may also grant administrative actions to new identities.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the decrypted data to an external location.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting CloudTrail logs or modifying other security configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data encrypted with the KMS key, potentially resulting in data breaches, financial loss, and reputational damage. The severity depends on the sensitivity of the data protected by the key and the scope of access granted to the attacker. This can impact organizations across various sectors that rely on AWS KMS for data encryption, potentially affecting millions of records and causing significant operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS KMS Key Policy Updated via PutKeyPolicy\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized modifications to KMS key policies.\u003c/li\u003e\n\u003cli\u003eReview the policy document diff in \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.response_elements\u003c/code\u003e to identify unauthorized changes to principals.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003ekms:PutKeyPolicy\u003c/code\u003e permission to break-glass roles only, limiting the potential for unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eiam:AttachRolePolicy\u003c/code\u003e and \u003ccode\u003ests:AssumeRole\u003c/code\u003e events to correlate with potential privilege escalation attempts related to KMS key access.\u003c/li\u003e\n\u003cli\u003eRestore a known-good KMS policy from backup or IAM/KMS change history to remediate unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T18:23:00Z","date_published":"2024-01-22T18:23:00Z","id":"/briefs/2024-01-aws-kms-key-policy-put/","summary":"Detection of successful PutKeyPolicy calls on AWS KMS keys to identify potential privilege escalation or unauthorized access by adversaries modifying key policies to decrypt or exfiltrate data.","title":"AWS KMS Key Policy Updated via PutKeyPolicy","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-key-policy-put/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries, such as jscript.dll or vbscript.dll, it may be indicative of an allowlist bypass. Adversaries exploit WMIC to bypass security measures by executing scripts via XSL files. This technique is often used for defense evasion and execution of malicious code. The detection logic focuses on monitoring WMIC executions with atypical arguments (format*:\u003cem\u003e, /format\u003c/em\u003e:\u003cem\u003e, \u003cem\u003e-format\u003c/em\u003e:\u003c/em\u003e) in conjunction with the loading of scripting libraries, indicating potential misuse. The rule is designed for data generated by Elastic Defend and also supports Sysmon data sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes WMIC.exe or wmic.exe with suspicious arguments such as \u0026ldquo;format*:\u003cem\u003e\u0026rdquo;, \u0026ldquo;/format\u003c/em\u003e:\u003cem\u003e\u0026rdquo;, or \u0026ldquo;\u003c/em\u003e-format*:*\u0026rdquo; to leverage XSL script processing.\u003c/li\u003e\n\u003cli\u003eWMIC attempts to load scripting libraries like jscript.dll or vbscript.dll to enable script execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the loaded scripting libraries to execute malicious code embedded in an XSL file.\u003c/li\u003e\n\u003cli\u003eThe script performs various malicious actions, such as downloading additional payloads, modifying system configurations, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the WMI functionality for lateral movement or persistence within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker evades detection by abusing trusted system binaries (WMIC) and allowlisted scripting engines.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve code execution and maintain control over the compromised system for data exfiltration or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security measures and execute malicious code on compromised systems. This can lead to a range of adverse effects, including data theft, system compromise, and further propagation of malware within the network. The use of WMIC for defense evasion can make it difficult to detect malicious activity, increasing the risk of successful attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMIC XSL Script Execution\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to activate the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by reviewing process execution details and command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview the parent process of suspicious WMIC executions to understand the context and origin of the activity.\u003c/li\u003e\n\u003cli\u003eCorrelate the process.entity_id with other related events within a 2-minute window to identify any additional suspicious activities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or suspicious XSL files and scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-wmic-xsl-script-execution/","summary":"This rule detects suspicious execution of scripts via WMIC, potentially used for allowlist bypass, by identifying WMIC executions with atypical arguments and the loading of specific libraries like jscript.dll or vbscript.dll for defense evasion and execution.","title":"Suspicious WMIC XSL Script Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-22-wmic-xsl-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Elastic ProblemChild integration leverages machine learning to identify suspicious Windows process clusters associated with specific users. This detection focuses on processes flagged as malicious by a supervised ML model, further refined by an unsupervised ML model that identifies unusually high aggregate scores within process clusters. This combination aims to detect activity that may evade traditional signature-based detections, such as the use of Living-off-the-Land Binaries (LOLbins) for masquerading. The models are trained to identify processes exhibiting characteristics indicative of malicious intent, making it possible to expose attackers using legitimate system tools for malicious purposes. The integration requires Windows process events collected by Elastic Defend or Winlogbeat and the Living off the Land (LotL) Attack Detection integration assets to be installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute malicious commands using LOLbins (e.g., PowerShell, cmd.exe, mshta.exe).\u003c/li\u003e\n\u003cli\u003eThese processes are spawned with potentially obfuscated or unusual command-line arguments to evade basic detection.\u003c/li\u003e\n\u003cli\u003eThe ProblemChild supervised ML model analyzes process characteristics and assigns a malicious probability score.\u003c/li\u003e\n\u003cli\u003eAn unsupervised ML model aggregates the scores of related processes associated with the same user, identifying unusually high clusters.\u003c/li\u003e\n\u003cli\u003eThe rule triggers based on the combined supervised and unsupervised ML scores, indicating a high likelihood of malicious activity.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to use masquerading techniques to further disguise their actions by renaming files or using legitimate process names.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal could be data exfiltration, lateral movement, or establishing persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging LOLbins and masquerading techniques can lead to significant damage, including data breaches, system compromise, and disruption of services. The use of legitimate tools makes detection challenging, potentially allowing attackers to operate undetected for extended periods. While the number of victims and specific sectors are unknown, any organization running Windows systems is potentially vulnerable. The impact of a successful attack depends on the attacker\u0026rsquo;s objectives but can range from minor data theft to complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration assets are installed and properly configured as described in the setup instructions of the rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;User Detected with Suspicious Windows Process(es)\u0026rdquo; ML job (machine_learning_job_id: \u003ccode\u003eproblem_child_high_sum_by_user_ea\u003c/code\u003e) and tune the anomaly threshold for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Windows process event collection via Elastic Defend or Winlogbeat (Rule Setup) to provide the necessary data for the ML models.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative tools and software updates that may trigger false positives, as described in the False Positive Analysis section of the rule note.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and detection rules to identify similar patterns of behavior in the future, focusing on the specific tactics and techniques used in this incident (Rule Note).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-problemchild-suspicious-windows-processes/","summary":"The ProblemChild machine learning model has detected a user with suspicious Windows processes exhibiting unusually high malicious probability scores, potentially indicating defense evasion via masquerading or LOLbins.","title":"ProblemChild ML Detection of Suspicious Windows Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-problemchild-suspicious-windows-processes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-sandbox","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may abuse the Windows Sandbox feature to evade detection by running malicious code within the isolated environment. This involves configuring the sandbox with sensitive options such as granting write access to the host file system, enabling network connections, and setting up automatic command execution via logon. By running within the sandbox with these configurations, malware can potentially interact with the host system, while making detection more difficult. This technique is used for defense evasion, hiding artifacts, and executing malicious activities within a virtualized environment to avoid direct exposure on the host. The rule identifies the start of a new container with sensitive configurations like write access to the host file system, network connection and automatic execution via logon command.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages Windows Sandbox by executing \u003ccode\u003ewsb.exe\u003c/code\u003e or \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the sandbox to enable networking using \u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker grants the sandbox write access to the host file system using \u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a logon command to automatically execute malicious code when the sandbox starts using \u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe sandbox initializes and executes the configured logon command.\u003c/li\u003e\n\u003cli\u003eThe malicious code interacts with the host file system and network, performing actions such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying ransomware or stealing sensitive information, while operating from within the isolated sandbox environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using Windows Sandbox abuse can lead to a range of negative impacts. Attackers may gain unauthorized access to sensitive data, compromise system integrity, or disrupt business operations. The use of the sandbox environment helps to conceal malicious activity, making detection and remediation more challenging. The damage can include data breaches, financial losses, reputational damage, and regulatory penalties. Successful exploitation allows malware to interact with the host system, potentially affecting multiple systems on the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Windows Sandbox with Sensitive Configuration\u0026rdquo; detection rule to your SIEM to identify potential sandbox abuse attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable networking (\u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable write access to the host file system (\u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that define logon commands (\u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-10T12:00:00Z","date_published":"2024-01-10T12:00:00Z","id":"/briefs/2024-01-windows-sandbox-abuse/","summary":"This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.","title":"Windows Sandbox Abuse with Sensitive Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-sandbox-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","execution","windows","dll-injection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to load malicious, unsigned DLLs into \u003ccode\u003esvchost.exe\u003c/code\u003e, a legitimate Windows service host process, to maintain persistence or escalate privileges. This technique abuses the shared service host process to execute arbitrary code with SYSTEM privileges. The \u003ccode\u003esvchost.exe\u003c/code\u003e process, which typically hosts multiple Windows services, can be targeted to load malicious DLLs from unusual file paths, potentially bypassing security measures that rely on code signing validation. This is especially concerning because \u003ccode\u003esvchost.exe\u003c/code\u003e is a trusted process, making detection more challenging. The loading of unsigned DLLs by \u003ccode\u003esvchost.exe\u003c/code\u003e from atypical directories is a strong indicator of potential malicious activity, as legitimate Windows services rarely load unsigned libraries from such locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the system through an undisclosed method (e.g., exploitation of a vulnerability or social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious, unsigned DLL on the compromised system in a non-standard directory like \u003ccode\u003eC:\\ProgramData\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry to configure a service hosted by \u003ccode\u003esvchost.exe\u003c/code\u003e to load the malicious DLL. This often involves manipulating service dependencies or service parameters.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the targeted service is manually restarted, causing \u003ccode\u003esvchost.exe\u003c/code\u003e to load the specified DLL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvchost.exe\u003c/code\u003e executes the code within the malicious DLL, now running with the privileges of the hosted service (typically SYSTEM).\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs actions such as installing backdoors, escalating privileges further, or establishing command and control (C2) communication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established C2 channel to remotely control the compromised system, exfiltrate data, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system by ensuring the malicious DLL is loaded each time the service or system starts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain persistent access to the compromised system with elevated (SYSTEM) privileges. This can lead to complete system compromise, data theft, installation of backdoors, and lateral movement within the network. The use of \u003ccode\u003esvchost.exe\u003c/code\u003e as a host for malicious DLLs makes detection more difficult, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unsigned DLLs loaded by \u003ccode\u003esvchost.exe\u003c/code\u003e, focusing on the specified file paths and code signature status.\u003c/li\u003e\n\u003cli\u003eExamine \u003ccode\u003edll.Ext.relative_file_creation_time\u003c/code\u003e to identify DLLs created shortly before being loaded to catch newly created malicious files.\u003c/li\u003e\n\u003cli\u003eReview and validate the legitimacy of all DLLs loaded by \u003ccode\u003esvchost.exe\u003c/code\u003e, focusing on those located in unusual paths.\u003c/li\u003e\n\u003cli\u003eUpdate endpoint detection and response (EDR) systems to specifically monitor for the loading of unsigned DLLs by system processes like \u003ccode\u003esvchost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eContinuously update the exclusion list of known good DLL hashes to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:30:00Z","date_published":"2024-01-09T18:30:00Z","id":"/briefs/2024-01-unsigned-dll-svchost/","summary":"Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.","title":"Unsigned DLL Loaded by Svchost for Persistence and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-unsigned-dll-svchost/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Kubernetes Service"],"_cs_severities":["medium"],"_cs_tags":["azure","kubernetes","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers targeting Azure Kubernetes Service (AKS) environments may attempt to remove event logs to cover their tracks and hinder forensic investigations. This activity, which involves deleting Kubernetes events, directly impairs a defender\u0026rsquo;s ability to detect malicious behavior within the cluster. By removing evidence of their actions, attackers can prolong their presence within the environment and increase the potential for further compromise. This technique is relevant for defenders monitoring AKS environments for intrusion activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure environment, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure Kubernetes Service (AKS) cluster with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Kubernetes event logs to identify those they wish to remove.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to delete specific Kubernetes events using kubectl or the Azure CLI. The API call used for the deletion is MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record the event deletion, which is the source of the detection.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 3-4 to remove additional event logs, further obscuring their activities.\u003c/li\u003e\n\u003cli\u003eThe attacker continues with their primary objective, such as deploying malicious containers, exfiltrating data, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Kubernetes events can significantly hinder incident response efforts. Without access to event logs, defenders may struggle to identify the scope and timeline of an attack, potentially leading to incomplete remediation and prolonged exposure. The impact includes increased dwell time for attackers within the compromised environment, as well as a greater likelihood of successful data breaches or system disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect event deletion activity within AKS environments.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation in Azure Activity Logs, as indicated in the rule definition.\u003c/li\u003e\n\u003cli\u003eImplement robust RBAC policies within AKS to minimize the number of users and service accounts with permissions to delete Kubernetes events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:30:00Z","date_published":"2024-01-09T18:30:00Z","id":"/briefs/2024-01-azure-kubernetes-events-deleted/","summary":"Adversaries may delete events in Azure Kubernetes to evade detection, which this rule detects via the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation.","title":"Azure Kubernetes Events Deleted","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-kubernetes-events-deleted/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Build Engine","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","msbuild","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform commonly used by Windows developers. When MSBuild is started by an Office application like Word or Excel, it deviates from typical usage patterns. This behavior can be indicative of a malicious document executing a script payload as part of a defense evasion tactic. Attackers may leverage MSBuild to execute code or perform actions that would otherwise be blocked or detected. This activity is particularly concerning because it can bypass traditional security measures that focus on blocking suspicious executables or scripts directly launched by Office applications. The rule was created in March 2020, and last updated in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious Office document (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office document contains an embedded macro or exploit that triggers the execution of MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe is launched as a child process of the Office application (e.g., winword.exe, excel.exe, powerpnt.exe).\u003c/li\u003e\n\u003cli\u003eMSBuild executes a project file or inline task specified in the command line. This can involve compiling code, executing scripts, or performing other actions.\u003c/li\u003e\n\u003cli\u003eThe executed code or script performs malicious activities, such as downloading additional payloads, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild may spawn child processes, such as cmd.exe, powershell.exe, or other utilities, to further execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, installing malware, or gaining unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. Since MSBuild is a legitimate Microsoft tool, its use by malicious actors can make detection more challenging. The impact is high because it leverages a trusted process to carry out malicious activities, evading standard security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by an Office Application\u0026rdquo; to your SIEM to detect this specific behavior based on process creation events.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with the appropriate configuration to capture the necessary process start events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments of MSBuild.exe and the parent process information, including the executable name and command line.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for MSBuild.exe with parent processes being Office applications as a high priority indicator of potential compromise.\u003c/li\u003e\n\u003cli\u003eReview and harden Office macro settings to prevent execution of malicious macros.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:22:00Z","date_published":"2024-01-09T18:22:00Z","id":"/briefs/2024-01-msbuild-office-app/","summary":"The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.","title":"Microsoft Build Engine Started by an Office Application","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-office-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi","powershell","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts that attempt to circumvent the Antimalware Scan Interface (AMSI), a security feature in Windows designed to prevent the execution of malicious scripts and code. Attackers use AMSI bypass techniques to disable real-time scanning and execute malicious PowerShell code without detection. The bypasses often involve manipulating AMSI\u0026rsquo;s internal state or patching its scanning routines. This allows attackers to deliver and execute payloads undetected, leading to potential system compromise. This technique is actively used by various threat actors to evade defenses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, typically through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains code designed to bypass AMSI, such as manipulating the AmsiScanBuffer function or unmanaged code injection.\u003c/li\u003e\n\u003cli\u003eThe AMSI bypass is executed, disabling real-time scanning of PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes a malicious payload within the same PowerShell session, which is no longer subject to AMSI scanning.\u003c/li\u003e\n\u003cli\u003eThe malicious payload performs actions such as downloading additional malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system for further lateral movement or to achieve their objectives, such as data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful AMSI bypass can lead to the execution of arbitrary code on the affected system, potentially resulting in data breaches, system compromise, and the installation of malware. Because AMSI is a core component of Windows security, its bypass represents a significant security risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the contents of PowerShell scripts, which is essential for this detection to function effectively (reference: Setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Antimalware Scan Interface Bypass via PowerShell\u0026rdquo; to detect scripts containing known AMSI bypass techniques (reference: rules section below).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on the script content and the context in which it was executed to identify potential malicious activity (reference: note section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T16:23:00Z","date_published":"2024-01-09T16:23:00Z","id":"/briefs/2024-01-amsi-bypass-powershell/","summary":"This rule detects PowerShell scripts that attempt to bypass the Antimalware Scan Interface (AMSI) in order to disable scanning and execute malicious PowerShell code undetected.","title":"Potential Antimalware Scan Interface Bypass via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-bypass-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse the Microsoft Build Engine (MSBuild) to execute malicious files or masquerade as legitimate utilities to bypass detections and evade defenses. MSBuild is a platform for building applications using an XML schema for project files that controls how the build platform processes and builds software. The observed behavior involves MsBuild.exe initiating outbound network connections, which is not typical for its intended use and may indicate unauthorized code execution or command and control activity. This activity can be used to download malicious payloads, exfiltrate data, or establish a reverse shell. Detecting this behavior is crucial as it can be an early indicator of compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access through an external vector (e.g., phishing, software vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker executes MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild executes a malicious project file (.csproj, .vbproj).\u003c/li\u003e\n\u003cli\u003eThe project file contains embedded or referenced code (e.g., C#, VB.NET) designed to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, initiating a network connection.\u003c/li\u003e\n\u003cli\u003eThe network connection is established to an external command and control (C2) server or a resource hosting a malicious payload.\u003c/li\u003e\n\u003cli\u003eData exfiltration or payload download occurs via the network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker gains further control over the compromised system, potentially leading to lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data breaches, system instability, and further propagation of malware within the network. Successful exploitation can result in sensitive information being stolen, disruption of services, and potential financial losses. This activity can be difficult to detect without specific monitoring rules and can lead to extended dwell time for attackers within the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMSBuild Making Outbound Network Connection\u003c/code\u003e to your SIEM to detect suspicious network connections initiated by MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the destination IP addresses and the content of the network traffic.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of MsBuild.exe executing unusual or suspicious project files.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to identify potential malicious project files being passed to MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of MsBuild.exe to authorized users and processes only.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains and IP addresses associated with command and control activity at the firewall or DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-msbuild-network-connections/","summary":"MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.","title":"MSBuild Making Network Connections Indicating Potential Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-msbuild-network-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","log-clearing","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers often remove or modify system logs to hide their actions and hinder forensic investigations. This activity involves the use of common Linux utilities to delete or overwrite log files, making it difficult to trace the attacker\u0026rsquo;s entry point, lateral movement, and actions performed on the system. Log clearing is a common post-exploitation technique used by a wide range of threat actors across various campaigns. This brief focuses on detecting the usage of common utilities like \u003ccode\u003erm\u003c/code\u003e…\u003c/p\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-linux-log-clearing/","summary":"Adversaries attempt to clear Linux system logs using utilities like rm, rmdir, shred, and unlink to conceal malicious activity and evade detection.","title":"Linux Log Clearing Attempts via Common Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-09-linux-log-clearing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","privilege-escalation","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by WerFault.exe, the Windows Error Reporting tool. Attackers can abuse WerFault by manipulating the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key to execute malicious processes. This technique allows for defense evasion, persistence, and privilege escalation. The detection focuses on WerFault processes with specific command-line arguments (\u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e) known to be used in SilentProcessExit exploitation, while excluding legitimate executables like \u003ccode\u003eInitcrypt.exe\u003c/code\u003e and \u003ccode\u003eHeimdal.Guard.exe\u003c/code\u003e. The rule helps defenders identify potential attempts to hijack the error reporting mechanism for malicious purposes. The monitored data sources include Windows Event Logs, Sysmon, Elastic Defend, Microsoft Defender XDR, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key to specify a malicious process to be executed when a target application crashes. This involves setting the \u003ccode\u003eReportingMode\u003c/code\u003e and \u003ccode\u003eDebugger\u003c/code\u003e values under the \u003ccode\u003eSilentProcessExit\u003c/code\u003e key for the target application.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a crash in the target application or waits for a legitimate crash to occur.\u003c/li\u003e\n\u003cli\u003eWerFault.exe is invoked to handle the application crash.\u003c/li\u003e\n\u003cli\u003eDue to the registry modification, WerFault.exe spawns the attacker-controlled process, passing command-line arguments such as \u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled process executes with the privileges of WerFault.exe, potentially achieving privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe malicious process performs actions such as injecting code into other processes, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as maintaining persistence, escalating privileges, or evading detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to persistence, privilege escalation, and defense evasion. Attackers can use this technique to execute malicious code with elevated privileges, potentially bypassing security controls and gaining unauthorized access to sensitive data and system resources. The number of victims and affected sectors can vary depending on the attacker\u0026rsquo;s objectives and the scope of the initial compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture WerFault.exe child processes (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;WerFault Child Process Masquerading\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key for unauthorized modifications (registry_set event).\u003c/li\u003e\n\u003cli\u003eInvestigate any WerFault.exe processes with command-line arguments \u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e (process_creation event).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-werfault-child-process/","summary":"This rule detects suspicious child processes of WerFault.exe, a Windows error reporting tool, indicating potential abuse of the SilentProcessExit registry key to execute malicious processes stealthily for defense evasion, persistence, and privilege escalation.","title":"Suspicious WerFault Child Process Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-09-werfault-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Cloud Endpoint","AutomationManagerAgent"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro","N-able"],"content_html":"\u003cp\u003eAttackers frequently disable PowerShell Script Block Logging to evade detection and hide malicious activities on compromised systems. By modifying the \u003ccode\u003eEnableScriptBlockLogging\u003c/code\u003e registry value to \u0026lsquo;0\u0026rsquo; or \u0026lsquo;0x00000000\u0026rsquo;, adversaries can significantly reduce the visibility into their PowerShell-based attacks. This technique is particularly effective when followed by script-driven activity, making it harder for security teams to identify and respond to threats. This behavior has been observed across multiple environments, including those utilizing endpoint detection and response solutions such as Elastic Defend, Microsoft Defender XDR, SentinelOne, and CrowdStrike. The rule was last updated on 2026-05-04 and is designed to detect these specific registry modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker may attempt to escalate privileges to gain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker modifies the registry to disable PowerShell Script Block Logging by setting \u003ccode\u003eHKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging\u003c/code\u003e to 0 or 0x00000000 using \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell itself.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes malicious PowerShell scripts, leveraging the disabled logging to avoid detection. These scripts may be used for reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence using various techniques, such as creating scheduled tasks or modifying registry keys to ensure continued access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes a command and control channel to communicate with the compromised system and issue further instructions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally to other systems on the network, compromising additional assets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, such as data theft, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of PowerShell Script Block Logging can severely hinder incident response efforts, allowing attackers to operate undetected for extended periods. Organizations may experience data breaches, financial losses, and reputational damage. The impact can be widespread as attackers leverage compromised systems for lateral movement and further exploitation. The loss of PowerShell logging can blind security teams, making it difficult to reconstruct attacker actions and contain the breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell_Script_Block_Logging_Disabled\u003c/code\u003e to your SIEM to detect registry modifications that disable PowerShell Script Block Logging.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eEnableScriptBlockLogging\u003c/code\u003e value, focusing on events with \u003ccode\u003eregistry.data.strings\u003c/code\u003e set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo; (see rule \u003ccode\u003ePowerShell_Script_Block_Logging_Disabled\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rules to function effectively (see references).\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to prevent unauthorized script execution (related to tactic TA0005).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit who can modify registry settings related to PowerShell logging (related to tactic TA0005).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-disable-powershell-scriptblock-logging/","summary":"Attackers may disable PowerShell Script Block Logging by modifying the registry to conceal their activities on the host and evade detection by setting the `EnableScriptBlockLogging` registry value to 0, impacting security monitoring and incident response capabilities.","title":"PowerShell Script Block Logging Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-09-disable-powershell-scriptblock-logging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","timestomp","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies attempts to modify the timestamps of executable files within sensitive directories on Windows systems, a technique known as timestomping. Timestomping is employed by adversaries to disguise malicious files as legitimate system components, making them harder to detect. The rule focuses on changes to file creation timestamps in directories like \u003ccode\u003eSystem32\u003c/code\u003e, \u003ccode\u003eSysWOW64\u003c/code\u003e, \u003ccode\u003eProgramData\u003c/code\u003e, and common startup locations. It excludes known legitimate processes to reduce false positives. The goal of this technique is to evade detection and maintain persistence within the compromised system. This behavior is typically associated with post-exploitation activity after initial access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable (e.g., a backdoor or malware dropper) to a location on the filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., PowerShell, built-in Windows utilities) to modify the creation timestamp of the malicious executable.\u003c/li\u003e\n\u003cli\u003eThe timestamp is set to match that of a legitimate system file in the same directory, such as a DLL in \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may then configure persistence for the timestomped executable, such as creating a registry entry in \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious executable remains dormant, blending in with other legitimate files and evading initial detection.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the timestomped executable, either manually or through scheduled tasks, registry entries or other persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended function, such as establishing a reverse shell or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful timestomping can allow attackers to maintain a persistent presence on a compromised system while evading detection by security tools and administrators. This can lead to prolonged data theft, system compromise, and other malicious activities. The technique is often used in conjunction with other evasion methods to further obscure malicious activity. A successful attack could lead to data exfiltration, ransomware deployment, or long-term espionage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 2 (File creation time changed) logging to capture timestomping activity as described in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Timestomp in Executable Files\u0026rdquo; to your SIEM to detect suspicious file timestamp modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes modifying file creation times in sensitive system directories.\u003c/li\u003e\n\u003cli\u003eReview the process ancestry of processes modifying file timestamps to identify potentially malicious parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of files with recently modified timestamps using process creation logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-timestomp/","summary":"This rule identifies potential timestomping behavior on Windows systems where the creation time of executable files in sensitive system directories is modified, potentially to blend malicious executables with legitimate system files and evade detection.","title":"Potential Timestomping of Executable Files on Windows","url":"https://feed.craftedsignal.io/briefs/2024-01-09-timestomp/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","msbuild","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a platform for building applications that uses an XML schema for project files to control the build process. Attackers can abuse MSBuild to execute malicious code, proxy code execution, and masquerade as legitimate utilities to evade defenses. This behavior is often used in defense evasion tactics. This detection identifies instances of \u003ccode\u003eMsBuild.exe\u003c/code\u003e executing and subsequently establishing network connections to external addresses. This activity warrants further investigation as it deviates from expected usage patterns and might signify malicious exploitation of MSBuild.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the system via unspecified means.\u003c/li\u003e\n\u003cli\u003eAdversary executes \u003ccode\u003eMsBuild.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMSBuild process loads and executes a malicious project file, potentially containing embedded code or instructions to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe project file instructs MSBuild to initiate a network connection to a remote server.\u003c/li\u003e\n\u003cli\u003eMSBuild establishes an outbound network connection to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the established connection for command and control (C2) or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe compromised host may download additional malicious tools or payloads from the C2 server using MSBuild\u0026rsquo;s network capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging MSBuild can lead to code execution, defense evasion, and potentially command and control. Although the number of affected organizations is not specified, any Windows environment where developers use MSBuild is potentially at risk. If successful, attackers can bypass traditional security measures, gain unauthorized access, and exfiltrate sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and network connection logging on Windows endpoints to capture the necessary events for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;MSBuild Making Network Connections\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution chain and network connections for suspicious activity.\u003c/li\u003e\n\u003cli\u003eConsider adding exceptions for legitimate MSBuild network activity, based on destination IP addresses and command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-msbuild-network/","summary":"Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.","title":"MSBuild Making Network Connections","url":"https://feed.craftedsignal.io/briefs/2024-01-09-msbuild-network/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers commonly attempt to disable or weaken Windows Defender to evade detection and facilitate malicious activities. This involves using PowerShell commands like \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e to modify Defender\u0026rsquo;s configuration. Adversaries may also utilize base64 encoding to obfuscate these commands, bypassing simple command-line inspection. This activity typically occurs post-compromise, as part of a broader attack chain, and allows for the deployment of malware or other malicious tools without interference from the built-in antivirus. Detection of these techniques is crucial for maintaining the integrity of the system and preventing further damage. The scope of this threat includes any Windows environment where PowerShell is enabled and Windows Defender is used as the primary antivirus solution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an existing compromise (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges if necessary.\u003c/li\u003e\n\u003cli\u003ePowerShell is launched, either directly or through a parent process like \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e with parameters like \u003ccode\u003e-DisableRealtimeMonitoring\u003c/code\u003e, \u003ccode\u003e-DisableIOAVProtection\u003c/code\u003e, \u003ccode\u003e-DisableBehaviorMonitoring\u003c/code\u003e, or \u003ccode\u003e-DisableBlockAtFirstSeen\u003c/code\u003e to weaken Defender.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a base64-encoded PowerShell command that performs the same actions.\u003c/li\u003e\n\u003cli\u003eThe encoded command is executed using the \u003ccode\u003e-EncodedCommand\u003c/code\u003e or \u003ccode\u003e-enc\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eWindows Defender\u0026rsquo;s security settings are modified, reducing its effectiveness.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with deploying malware, exfiltrating data, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these commands results in a weakened or disabled Windows Defender, leaving the system vulnerable to malware infections and other threats. This can lead to data breaches, system compromise, and financial loss. The impact is especially significant in environments where Windows Defender is the primary security solution. While the number of victims is unknown, the technique is widely applicable across Windows environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for PowerShell executions (\u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e) with command-line arguments related to disabling Windows Defender using the Sigma rule \u0026ldquo;Detect Suspicious PowerShell Encoded Commands\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the full content of executed scripts, which can reveal base64-encoded commands (reference: references - \u003ca href=\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps)\"\u003ehttps://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disabling Windows Defender Security Settings via PowerShell\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e commands with arguments disabling real-time monitoring, IOAV protection, behavior monitoring, or block-at-first-seen features.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-disable-defender-powershell/","summary":"Attackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.","title":"Disabling Windows Defender Security Settings via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-09-disable-defender-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ads","rundll32","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRundll32 is a legitimate Windows utility used to execute DLLs. However, adversaries can abuse this functionality to execute malicious code while evading detection. This technique involves storing a malicious DLL within an Alternate Data Stream (ADS) of a file. ADS allows hiding data within existing files, making it less likely to be discovered by standard file system scans. When rundll32.exe is then used to execute the DLL from the ADS, it can bypass application whitelisting and other security measures, as the execution appears to originate from the trusted rundll32.exe process. This technique has been observed across various threat actors seeking to establish persistence or execute arbitrary code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods like phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious DLL to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line utility to write the DLL into an Alternate Data Stream (ADS) of an existing file, such as a text file or image. For example: \u003ccode\u003eecho \u0026quot;DLL content\u0026quot; \u0026gt; legitimate_file.txt:malicious.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the DLL stored in the ADS. The command typically looks like: \u003ccode\u003erundll32.exe \u0026quot;C:\\ads\\file.txt:ADSDLL.dll\u0026quot;,DllMain\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRundll32.exe loads and executes the malicious DLL from the ADS.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing persistence, downloading additional payloads, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use additional techniques to further conceal their activity, such as obfuscating the command line or using process injection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows arbitrary code execution on the targeted system. Attackers can use this technique to establish persistence, escalate privileges, bypass security controls, and deploy further malware. The use of ADS makes detection more challenging, as the malicious DLL is hidden within a seemingly benign file. This can lead to data breaches, system compromise, and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments used with \u003ccode\u003erundll32.exe\u003c/code\u003e (as used in the Sigma rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious \u003ccode\u003erundll32.exe\u003c/code\u003e executions from ADS.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual file modifications that involve writing data to alternate data streams.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T15:30:00Z","date_published":"2024-01-08T15:30:00Z","id":"/briefs/2024-01-08-rundll32-ads/","summary":"Adversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.","title":"Rundll32 Execution with DLL Stored in Alternate Data Stream (ADS)","url":"https://feed.craftedsignal.io/briefs/2024-01-08-rundll32-ads/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["execution","initial-access","defense-evasion","discovery"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PDF reader applications as an initial access vector, exploiting vulnerabilities within these programs or using social engineering to trick users into opening malicious PDF documents. Upon successful exploitation, adversaries often spawn built-in Windows utilities from the compromised PDF reader process to perform reconnaissance, escalate privileges, or establish persistence. This activity is designed to blend in with normal system operations, making it difficult to detect without specific monitoring and detection rules. The targeted software commonly includes Adobe Acrobat, Adobe Reader, and Foxit Reader. Defenders should be vigilant for unexpected child processes of PDF readers, especially command-line interpreters and system administration tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious PDF document via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user opens the PDF document using a vulnerable PDF reader application (e.g., Adobe Acrobat, Foxit Reader).\u003c/li\u003e\n\u003cli\u003eThe PDF document exploits a vulnerability or uses a malicious script to execute an arbitrary command.\u003c/li\u003e\n\u003cli\u003eThe PDF reader application spawns a command-line interpreter (e.g., cmd.exe, powershell.exe) or a system administration tool (e.g., reg.exe, net.exe).\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands to gather system information (e.g., ipconfig.exe, systeminfo.exe, whoami.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to discover network configuration, user accounts, or running processes.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the spawned process to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and can proceed with lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PDF reader applications can lead to initial access, privilege escalation, and further compromise of the affected system. While individual incidents may have a low risk score, widespread exploitation can lead to significant data breaches, system downtime, and reputational damage. The use of legitimate system utilities for malicious purposes can make detection challenging, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of suspicious child processes (Sysmon Event ID 1, Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious PDF Reader Child Process\u0026rdquo; to your SIEM and tune for your environment to detect the execution of suspicious processes spawned by PDF reader applications.\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from PDF reader applications to unusual or external IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T18:45:00Z","date_published":"2024-01-04T18:45:00Z","id":"/briefs/2024-01-suspicious-pdf-child-process/","summary":"Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.","title":"Suspicious PDF Reader Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-pdf-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ransomware","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers, particularly ransomware groups, often disable or manipulate event logs to cover their tracks and hinder forensic investigations. This activity typically occurs post-compromise as part of an attacker\u0026rsquo;s defense evasion strategy. The use of \u003ccode\u003ewevtutil.exe\u003c/code\u003e, a legitimate Windows command-line utility, makes this technique challenging to detect without specific monitoring. Ransomware actors disable logging to operate undetected, making it difficult for security teams to trace malicious activities and respond effectively. This can prolong the dwell time of the attacker within the environment and increase the potential for widespread damage, data exfiltration, or system encryption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through typical methods like phishing or exploiting public-facing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the compromised system, achieving initial foothold.\u003c/li\u003e\n\u003cli\u003ePrivilege escalation techniques are employed to gain elevated permissions (e.g., using exploits, token manipulation).\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewevtutil.exe\u003c/code\u003e with specific commands to disable or clear event logs. Example commands include \u003ccode\u003ewevtutil.exe sl \u0026lt;logname\u0026gt; false\u003c/code\u003e or \u003ccode\u003ewevtutil.exe set-log \u0026lt;logname\u0026gt; /enabled:false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker disables specific event channels to remove evidence of their activity.\u003c/li\u003e\n\u003cli\u003ePersistence mechanisms are established to maintain access across reboots (e.g., creating scheduled tasks, modifying registry keys).\u003c/li\u003e\n\u003cli\u003eLateral movement is initiated to compromise additional systems within the network using tools like PsExec or SMB shares.\u003c/li\u003e\n\u003cli\u003eThe final objective, such as ransomware deployment or data exfiltration, is executed, with logging disabled to minimize the chances of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of event logs allows attackers to operate undetected, hindering forensic investigations and incident response efforts. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage to affected organizations. Ransomware groups frequently use this technique to maximize the impact of their attacks, resulting in data encryption, exfiltration, and significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to detect the execution of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with suspicious parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect specific command-line arguments used to disable event logs.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security (4688) for process creation events of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with arguments related to disabling or clearing logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ewevtutil.exe\u003c/code\u003e is executed with parameters like \u003ccode\u003esl\u003c/code\u003e or \u003ccode\u003eset-log\u003c/code\u003e and \u003ccode\u003e/e:false\u003c/code\u003e or \u003ccode\u003e/enabled:false\u003c/code\u003e in the command line, as highlighted in the provided Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T16:30:00Z","date_published":"2024-01-04T16:30:00Z","id":"/briefs/2024-01-disable-logs-wevtutil/","summary":"The execution of `wevtutil.exe` with parameters to disable event logs is a tactic commonly employed by ransomware to evade detection and hinder forensic investigations, leading to a significant reduction in visibility for defenders.","title":"Detection of Wevtutil.exe Used to Disable Event Logs","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-logs-wevtutil/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Intel","IBM"],"content_html":"\u003cp\u003eThis detection identifies process execution from suspicious default Windows directories. Attackers may hide malware in trusted paths to evade defenses, making it difficult for analysts to distinguish between legitimate and malicious activity. The detection focuses on identifying processes running from directories like C:\\PerfLogs, C:\\Users\\Public, and various Windows subdirectories (e.g., C:\\Windows\\Tasks, C:\\Windows\\AppReadiness), where executable files are not typically expected to reside. The detection excludes known legitimate processes like SpeechUXWiz.exe, SystemSettings.exe, TrustedInstaller.exe and other Intel and IBM executables to reduce false positives. This technique is often used to bypass security controls or take advantage of existing exceptions applied to these directories. This activity was observed being used by threat actors in the Siestagraph campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable into a suspicious directory like C:\\Users\\Public or C:\\Windows\\Tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malware from the unusual directory. This might be achieved using \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed malware establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe malware connects to a command-and-control (C2) server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe C2 server instructs the malware to perform reconnaissance on the network.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to move laterally to other systems on the network using techniques like pass-the-hash or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, ransomware deployment, or establishing long-term access to the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, persistence on the system, and further compromise of the network. Attackers can use this technique to bypass security controls and evade detection, potentially leading to data breaches, financial loss, or disruption of services. While the rule itself has a medium severity, the impact of a successful attack using this technique can be severe, depending on the attacker\u0026rsquo;s objectives and the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Process Execution from Unusual Directory\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the process execution is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically Event ID 4688 with command line process auditing, to ensure the Sigma rule has the necessary data to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden permissions on the listed suspicious directories to prevent unauthorized file creation and execution.\u003c/li\u003e\n\u003cli\u003eBlock execution of unsigned or untrusted executables from these directories using application control solutions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-process-execution-from-unusual-directory/","summary":"Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.","title":"Process Execution from Suspicious Windows Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-process-execution-from-unusual-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Auto Update Client"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","lolbas","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are abusing the Windows Update Auto Update Client (wuauclt.exe) to execute arbitrary code by loading malicious DLLs. This technique allows malicious actors to evade defenses by masquerading their activity as legitimate Windows processes. The abuse involves using specific command-line arguments with wuauclt.exe to load a DLL from a user-writable directory. This behavior has been observed in various attacks aimed at evading traditional security measures. This is an effective defense evasion and execution technique, allowing attackers to execute code while blending in with normal system processes, potentially bypassing application control and other security mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unrelated method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious DLL in a directory writable by standard users, such as \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\\u003c/code\u003e, \u003ccode\u003eC:\\ProgramData\\\u003c/code\u003e, \u003ccode\u003eC:\\Windows\\Temp\\\u003c/code\u003e, or \u003ccode\u003eC:\\Windows\\Tasks\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewuauclt.exe\u003c/code\u003e with the arguments \u003ccode\u003e/RunHandlerComServer\u003c/code\u003e and \u003ccode\u003e/UpdateDeploymentProvider\u003c/code\u003e along with the path to the malicious DLL. For example: \u003ccode\u003ewuauclt.exe /RunHandlerComServer /UpdateDeploymentProvider /dll:\u0026lt;path_to_malicious_dll\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewuauclt.exe\u003c/code\u003e loads the specified malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the \u003ccode\u003ewuauclt.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as establishing persistence, communicating with a C2 server, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use the compromised system as a foothold for lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within a trusted Windows process, potentially bypassing security controls and making detection more difficult. While specific victim counts are unavailable, this technique can be used in targeted attacks against organizations where defense evasion is a priority for the adversary. Successful execution can lead to complete system compromise, data theft, or further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eImageLoad via Windows Update Auto Update Client\u003c/code\u003e to detect the execution of \u003ccode\u003ewuauclt.exe\u003c/code\u003e with suspicious arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewuauclt.exe\u003c/code\u003e with the arguments \u003ccode\u003e/RunHandlerComServer\u003c/code\u003e and \u003ccode\u003e/UpdateDeploymentProvider\u003c/code\u003e, focusing on DLL paths in user-writable directories.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation and image-load logging to improve visibility into this type of attack.\u003c/li\u003e\n\u003cli\u003eAudit DLLs loaded by \u003ccode\u003ewuauclt.exe\u003c/code\u003e and investigate any unsigned or unexpected DLLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-wuauclt-dll-load/","summary":"The Windows Update Auto Update Client (wuauclt.exe) is being abused to load arbitrary DLLs, a defense evasion technique where malicious activity blends with legitimate Windows software by using specific process arguments and placing DLLs in writable paths.","title":"Abuse of Windows Update Client for DLL Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-wuauclt-dll-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","eventlog"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers often disable Windows Event and Security Logs to evade detection on compromised systems. This activity involves tampering with, clearing, and deleting event log data to break SIEM detections, cover their tracks, and slow down incident response. The methods employed include using the \u003ccode\u003elogman\u003c/code\u003e utility, PowerShell commands to disable the EventLog service, or \u003ccode\u003eauditpol\u003c/code\u003e to disable auditing. These actions are typically performed after initial access and privilege escalation to hinder forensic investigations and maintain persistence within the environment. Defenders should monitor for these specific tools and command-line arguments to identify potential attempts to disable logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to administrator level to gain the necessary permissions to modify event logging settings.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003elogman.exe\u003c/code\u003e with arguments to stop or delete EventLog traces (e.g., \u003ccode\u003elogman.exe stop EventLog-*\u003c/code\u003e, \u003ccode\u003elogman.exe delete EventLog-*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses PowerShell with \u003ccode\u003eSet-Service\u003c/code\u003e cmdlet to disable the EventLog service (e.g., \u003ccode\u003epowershell.exe Set-Service EventLog -StartupType Disabled\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker can also use \u003ccode\u003eauditpol.exe\u003c/code\u003e to disable auditing policies, preventing future events from being logged (e.g., \u003ccode\u003eauditpol.exe /success:disable\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAfter disabling logging, the attacker performs malicious activities such as lateral movement, data exfiltration, or malware deployment, with a reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe attacker removes traces of their activity from other logs if possible.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and continues to exploit the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Event and Security Logs can severely hinder incident response and forensic investigations. The absence of log data makes it difficult to detect ongoing malicious activity, understand the scope of the compromise, and attribute the attack. This can lead to prolonged dwell time for attackers, increased data exfiltration, and greater overall damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disable Windows Event and Security Logs Using Built-in Tools\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003elogman.exe\u003c/code\u003e, PowerShell, and \u003ccode\u003eauditpol.exe\u003c/code\u003e with specific arguments related to disabling event logs.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003elogman.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003epowershell_ise.exe\u003c/code\u003e, and \u003ccode\u003eauditpol.exe\u003c/code\u003e with command-line arguments that indicate an attempt to disable event logging.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed command-line arguments for process monitoring.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Group Policy settings related to event logging to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor for changes to the EventLog service configuration, including startup type and status, using system monitoring tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T10:00:00Z","date_published":"2024-01-04T10:00:00Z","id":"/briefs/2024-01-disable-windows-logs/","summary":"Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.","title":"Disable Windows Event and Security Logs Using Built-in Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-windows-logs/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft HTML Help system","Elastic Defend","Microsoft Defender XDR","Sysmon","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","compiled-html","windows","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers are known to deliver malicious payloads within compiled HTML files (.chm) to bypass security measures and gain initial access to systems. This technique leverages the Microsoft HTML Help system and its associated executable, hh.exe, to proxy the execution of malicious code. Compiled HTML files can contain various types of content, including HTML documents, images, and scripting languages like VBA, JScript, Java, and ActiveX. By embedding malicious scripts or executables within a .chm file, attackers can trick users into executing them when they open the file. This is particularly effective because hh.exe is a signed binary, which may allow it to bypass certain security controls. The scope of this technique affects Windows systems where the HTML Help system is installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .chm file containing embedded malicious code, such as a PowerShell script or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the .chm file to the victim via social engineering, such as phishing or malicious websites.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .chm file, causing hh.exe to launch.\u003c/li\u003e\n\u003cli\u003ehh.exe processes the .chm file, rendering its content, which includes the embedded malicious script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, often spawning a scripting interpreter like \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe scripting interpreter executes commands to download additional payloads or perform malicious actions on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and moves laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, code execution, and potentially full system compromise. This can result in data theft, malware installation, and further lateral movement within the network. The severity and impact depend on the permissions of the user running hh.exe and the nature of the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Compiled HTML File Spawning Suspicious Processes\u0026rdquo; to your SIEM to detect instances where \u003ccode\u003ehh.exe\u003c/code\u003e is the parent process of scripting interpreters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process execution chains for unknown processes originating from \u003ccode\u003ehh.exe\u003c/code\u003e, as mentioned in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement email filtering and security awareness training to prevent users from opening malicious .chm files delivered via phishing.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted executables in the environment to reduce the risk of malicious code execution.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to detect and respond to malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-compiled-html-execution/","summary":"Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.","title":"Process Activity via Compiled HTML File Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","firewall","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies potentially malicious modifications or deletions of Azure firewalls. Azure firewalls are critical components for network security, controlling inbound and outbound traffic based on defined rules. An attacker who gains sufficient privileges within an Azure environment may attempt to disable or modify these firewalls to facilitate lateral movement, data exfiltration, or other malicious activities. This activity is particularly concerning as it represents a direct attempt to weaken the victim\u0026rsquo;s security posture. The activity is detected via Azure Activity Logs. While legitimate administrative actions can trigger this alert, any unexpected or unauthorized changes to firewall configurations should be investigated promptly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to an Azure environment, possibly through compromised credentials or exploiting a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003eAttacker escalates privileges within the Azure subscription to gain permissions to manage network resources, including firewalls.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the Azure firewalls in the target environment using Azure Resource Manager APIs or the Azure portal.\u003c/li\u003e\n\u003cli\u003eAttacker modifies firewall rules to allow unauthorized traffic, such as opening ports for command and control communication or disabling security rules. This is achieved via the \u003ccode\u003eMICROSOFT.NETWORK/AZUREFIREWALLS/WRITE\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker deletes the Azure firewall using the \u003ccode\u003eMICROSOFT.NETWORK/AZUREFIREWALLS/DELETE\u003c/code\u003e operation, effectively removing network protections.\u003c/li\u003e\n\u003cli\u003eAttacker validates that their changes have been successfully applied by testing network connectivity or by reviewing the firewall configuration.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious activities such as lateral movement, data exfiltration, or deploying additional resources without firewall restrictions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of Azure firewalls can have severe consequences. An attacker can bypass network security controls, leading to data breaches, unauthorized access to sensitive resources, and the potential for widespread disruption. This can result in financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized firewall modifications or deletions in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on unfamiliar user identities and user agents.\u003c/li\u003e\n\u003cli\u003eReview Azure RBAC roles and permissions to ensure the principle of least privilege is enforced, limiting the ability of users and service principals to modify or delete firewalls.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for other suspicious activities, such as unusual resource deployments or changes to security settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-azure-firewall-modified-or-deleted/","summary":"An Azure firewall was created, modified, or deleted, potentially indicating malicious activity aimed at impairing network defenses.","title":"Azure Firewall Modification or Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-firewall-modified-or-deleted/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the P/Invoke (Platform Invoke) technology to perform process injection. P/Invoke allows managed code (like PowerShell) to call unmanaged functions exported from DLLs, including critical Windows API functions. Attackers use this to inject malicious code into legitimate processes for evasion and persistence. The detection focuses on identifying specific API chains commonly used in process injection techniques, such as allocating memory in a target process (VirtualAlloc), writing malicious code into the allocated memory (WriteProcessMemory), and executing the injected code (CreateRemoteThread). This activity is often associated with malware deployment, privilege escalation, and defense evasion. The detection logic is designed to identify these API chains either at the compile phase using Add-Type or during the execution phase, alerting on suspicious PowerShell behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses Add-Type and DllImport to declare external functions from Windows DLLs, including kernel32.dll and ntdll.dll.\u003c/li\u003e\n\u003cli\u003eThe script uses functions such as OpenProcess to gain a handle to a target process.\u003c/li\u003e\n\u003cli\u003eVirtualAllocEx is called to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003eWriteProcessMemory is used to write malicious code into the allocated memory region of the target process.\u003c/li\u003e\n\u003cli\u003eCreateRemoteThread is called to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, achieving code execution and potential privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially gaining elevated privileges. This can lead to data theft, system compromise, or further propagation within the network. The use of PowerShell and P/Invoke makes detection more challenging, as the activity can blend in with legitimate system administration tasks. A successful attack could lead to the deployment of a VIP Keylogger or other malware, as noted in the provided references.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to provide the necessary data for detection (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell PInvoke Process Injection\u003c/code\u003e to your SIEM and tune the rule to your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific API chains identified in the \u003ccode\u003edetection\u003c/code\u003e section of the rule.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies and restrict the execution of unsigned scripts to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-powershell-pinvoke-process-injection/","summary":"This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.","title":"PowerShell P/Invoke Process Injection API Chain Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["credential-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies the creation of symbolic links to shadow copies on Windows systems. Attackers use this technique to gain access to sensitive files stored within shadow copies, including the ntds.dit file (containing password hashes), system boot keys, and browser offline credentials. This approach allows them to bypass normal file access controls and extract credentials for lateral movement or privilege escalation. The detection rule is designed to ingest data from various sources, including Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs, providing broad coverage across different endpoint security solutions. The activity is typically initiated by command-line tools like cmd.exe or powershell.exe, making detection through process monitoring feasible. This technique is particularly relevant as it targets credential dumping, a critical stage in many attack campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative rights, which are required to create shadow copies and symbolic links.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a volume shadow copy using \u003ccode\u003evssadmin.exe\u003c/code\u003e or similar tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emklink\u003c/code\u003e command or PowerShell \u003ccode\u003eNew-Item -ItemType SymbolicLink\u003c/code\u003e to create a symbolic link to the shadow copy path.\u003c/li\u003e\n\u003cli\u003eThe symbolic link points to a directory within the shadow copy containing sensitive files like \u003ccode\u003entds.dit\u003c/code\u003e or browser credential stores.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the targeted sensitive files (e.g., \u003ccode\u003entds.dit\u003c/code\u003e) from the shadow copy using the symbolic link.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the shadow copy to cover their tracks, although the symbolic link creation remains as evidence.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials from the copied \u003ccode\u003entds.dit\u003c/code\u003e file offline for use in lateral movement or further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to sensitive credentials stored on the compromised system. This can lead to lateral movement within the network, privilege escalation, and ultimately, the compromise of critical assets. If the \u003ccode\u003entds.dit\u003c/code\u003e file is accessed, the entire Active Directory domain could be at risk, potentially affecting thousands of users and systems. This type of attack is particularly damaging as it allows attackers to operate undetected for extended periods while they harvest credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Symbolic Link to Shadow Copy Created via Cmd\u0026rdquo; to detect the creation of symbolic links to shadow copies via \u003ccode\u003ecmd.exe\u003c/code\u003e (rules).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Symbolic Link to Shadow Copy Created via PowerShell\u0026rdquo; to detect the creation of symbolic links to shadow copies via \u003ccode\u003epowershell.exe\u003c/code\u003e (rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) logging to provide necessary data for the Sigma rules to function correctly (setup).\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;Investigating Symbolic Link to Shadow Copy Created\u0026rdquo; section in the rule\u0026rsquo;s notes for triage and analysis steps when the rule triggers.\u003c/li\u003e\n\u003cli\u003eMonitor for the usage of \u003ccode\u003emklink\u003c/code\u003e command with the \u003ccode\u003eHarddiskVolumeShadowCopy\u003c/code\u003e argument in process command lines.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-shadow-copy-symlink/","summary":"Adversaries may create symbolic links to shadow copies to access sensitive files such as ntds.dit and browser credentials, enabling credential dumping using cmd.exe or powershell.exe.","title":"Symbolic Link Creation to Shadow Copies for Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-01-shadow-copy-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eInstallUtil.exe is a legitimate Windows utility used for installing and uninstalling server resources. Adversaries abuse InstallUtil.exe to execute malicious code under the guise of legitimate processes, often to evade detection. This technique allows attackers to proxy execution through a trusted system binary, potentially bypassing application control and security monitoring. The detection rule identifies suspicious network activity by monitoring InstallUtil.exe\u0026rsquo;s outbound connections, flagging potential misuse by alerting on the initial network connection attempt. This activity is detected via the Elastic EQL rule \u0026ldquo;InstallUtil Process Making Network Connections.\u0026rdquo;\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through an undisclosed method.\u003c/li\u003e\n\u003cli\u003eThe attacker uses InstallUtil.exe to execute a malicious .NET assembly.\u003c/li\u003e\n\u003cli\u003eInstallUtil.exe loads the malicious assembly into its process.\u003c/li\u003e\n\u003cli\u003eThe malicious assembly executes code that establishes an outbound network connection.\u003c/li\u003e\n\u003cli\u003eThe connection is used for command and control (C2) or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the C2 channel to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution within the context of a trusted Windows process (InstallUtil.exe), bypassing application control and potentially evading detection. This could result in a compromised system, data exfiltration, or further malicious activities within the network. The scope of impact depends on the attacker\u0026rsquo;s objectives and the level of access gained, potentially affecting entire organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and network connection logging via Sysmon or Elastic Defend to provide the data needed for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;InstallUtil Network Connection\u0026rdquo; to your SIEM and tune for your environment to detect suspicious outbound network connections from InstallUtil.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by examining the parent process of InstallUtil.exe, destination IP addresses, and associated activities.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring and alerting for unusual outbound connections from critical systems to enhance detection of similar threats in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-installutil-network-connection/","summary":"Detection of InstallUtil.exe making outbound network connections, which can indicate adversaries leveraging it to execute code and evade detection by proxying execution through a trusted system binary.","title":"InstallUtil Process Making Network Connections for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-installutil-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","masquerading","LOLbins","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies suspicious Windows processes exhibiting high malicious probability scores. The rule leverages machine learning to detect clusters of processes that may be indicative of defense evasion tactics, such as masquerading or the use of LOLbins (Living Off The Land Binaries). Specifically, a supervised ML model (ProblemChild) predicts whether a process is malicious, and an unsupervised ML model assesses the aggregate score of process clusters on a single host. The rule focuses on identifying unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. It was last updated on 2026/04/01 and requires Elastic Stack version 9.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows host through various methods, such as exploiting vulnerabilities or using compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a LOLBin (e.g., PowerShell, cmd.exe, mshta.exe) on the compromised host.\u003c/li\u003e\n\u003cli\u003eMasquerading: The attacker attempts to masquerade the malicious activity by naming or placing the LOLBin within a legitimate system folder.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker utilizes the LOLBin with specific command-line arguments designed to evade detection by traditional signature-based security solutions.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker may attempt to escalate privileges using further LOLBINS or other techniques.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker may use the compromised host to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eCommand and Control (Optional): The attacker may establish command and control (C2) communication with an external server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to various negative impacts, including data breaches, financial loss, and reputational damage. The rule is assigned a low severity, due to it likely being a supplemental detection to other rules. Lateral movement and exfiltration can also be accomplished. There is no information available on the number of victims and specific sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, to collect Windows process events as outlined in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts as suggested in the investigation guide.\u003c/li\u003e\n\u003cli\u003eExamine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading, per the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized or suspicious processes from executing in the future, as advised in the remediation steps.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job (\u003ccode\u003eproblem_child_high_sum_by_host_ea\u003c/code\u003e) to reduce false positives based on your environment\u0026rsquo;s specific characteristics and activity patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-suspicious-windows-process/","summary":"A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, potentially indicating masquerading and defense evasion tactics.","title":"Suspicious Windows Process Cluster Detection via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-windows-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender Advanced Threat Protection"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging a combination of Base64 encoding and .NET compression techniques (Deflate/GZip) to conceal malicious payloads. Attackers employ this method to bypass security measures by deobfuscating and reconstructing the payload directly in memory. This technique allows adversaries to evade detection mechanisms that rely on static analysis of script content. The rule focuses on identifying script block content exhibiting this behavior, providing defenders with visibility into potential defense evasion attempts within their Windows environments. This rule was last updated on 2026-05-04, and its initial version was created on 2021/10/19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through methods like phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed on the target system, potentially through a compromised user account.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains a Base64 encoded string representing a compressed payload.\u003c/li\u003e\n\u003cli\u003eThe script uses the \u003ccode\u003eFromBase64String\u003c/code\u003e function to decode the Base64 encoded string.\u003c/li\u003e\n\u003cli\u003eThe script decompresses the decoded data using .NET compression classes like \u003ccode\u003eSystem.IO.Compression.DeflateStream\u003c/code\u003e or \u003ccode\u003eSystem.IO.Compression.GzipStream\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe decompressed data reveals a malicious payload, such as a reverse shell or credential theft tool.\u003c/li\u003e\n\u003cli\u003eThe script executes the payload in memory, bypassing traditional file-based detection methods.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining persistent access, stealing data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and deployment of malware such as ransomware. The obfuscation techniques make detection more difficult, increasing the dwell time of attackers within the network. Windows systems are primarily affected. If Windows Defender Advanced Threat Protection is being used, this can evade its protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events for detection (related to the logsource in the rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Suspicious Payload Encoded and Compressed\u0026rdquo; to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on the reconstructed script block content.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor process telemetry for PowerShell instances and their parent processes.\u003c/li\u003e\n\u003cli\u003eRestrict PowerShell execution to trusted administrative paths where feasible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-powershell-compressed-payload/","summary":"Detects PowerShell scripts employing Base64 decoding combined with .NET decompression (Deflate/GZip) to deobfuscate and reconstruct malicious payloads in memory, evading traditional defenses.","title":"PowerShell Suspicious Payload Encoded and Compressed","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-compressed-payload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["HTML Help"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","command-and-control","malicious-file","html-help"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries may conceal malicious code in a compiled HTML file (.chm) and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). Attackers can use CHM files to proxy the execution of malicious payloads via a signed binary to bypass security controls, and also to gain initial access to environments via social engineering methods. This rule identifies network connections done by hh.exe, which can potentially indicate abuse to download malicious files or tooling, or masquerading. The detection logic focuses on network connections originating from hh.exe to external IPs, excluding private or reserved IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user receives a compiled HTML file (.chm), often through social engineering tactics such as phishing.\u003c/li\u003e\n\u003cli\u003eThe user opens the .chm file, which is then executed by the HTML Help executable (hh.exe).\u003c/li\u003e\n\u003cli\u003eThe hh.exe process loads and renders the HTML content within the .chm file.\u003c/li\u003e\n\u003cli\u003eEmbedded within the HTML content is malicious JavaScript or other scripting code.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, initiating a network connection via hh.exe to an external server.\u003c/li\u003e\n\u003cli\u003eThe external server hosts a malicious payload, such as a reverse shell or an executable file.\u003c/li\u003e\n\u003cli\u003eHh.exe downloads the malicious payload to the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, granting the attacker initial access or performing other malicious actions like data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to initial access to a victim\u0026rsquo;s system, potentially bypassing security controls through a signed Microsoft binary. This can result in the download and execution of arbitrary payloads, leading to data exfiltration, lateral movement within the network, or installation of malware. The exploitation can spread rapidly through social engineering, affecting multiple users within an organization. While the severity is rated as medium, the potential for escalation to a critical compromise is high if the attacker gains a foothold in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process and network monitoring on Windows endpoints, focusing on hh.exe activity (Data Source: Elastic Defend, Sysmon, SentinelOne).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNetwork Connection via Compiled HTML File\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious network connections initiated by hh.exe.\u003c/li\u003e\n\u003cli\u003eMonitor for hh.exe spawning child processes, which could indicate the execution of downloaded payloads. Create a Sigma rule to detect such events.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised host and restrict lateral movement.\u003c/li\u003e\n\u003cli\u003eConduct regular security awareness training to educate users about the risks of opening unsolicited .chm files.\u003c/li\u003e\n\u003cli\u003eInspect the digital signatures of hh.exe and other system binaries to ensure their integrity and authenticity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-hh-exe-network-connection/","summary":"This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.","title":"Network Connection via Compiled HTML File","url":"https://feed.craftedsignal.io/briefs/2024-01-hh-exe-network-connection/"}],"language":"en","next_url":"/tags/defense-evasion/page/2/feed.json","title":"CraftedSignal Threat Feed — Defense Evasion","version":"https://jsonfeed.org/version/1.1"}