{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/discovery/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kubernetes","kubelet","lateral-movement","discovery","execution","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential direct Kubelet API access attempts on Linux systems. The Kubelet, acting as the primary node agent, exposes an API accessible via ports 10250 and 10255. Attackers may exploit this API to enumerate pods, fetch logs, or even attempt remote execution. This access can lead to significant breaches in Kubernetes environments, facilitating discovery, lateral movement, and ultimately, compromise of sensitive data or control over cluster resources. The detection focuses on identifying process executions where the command-line arguments contain URLs targeting these Kubelet ports, indicating a potential attempt to interact with the Kubelet API directly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the Kubernetes cluster or a host with network access to the Kubelet ports.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or similar tools to craft an HTTP request targeting the Kubelet API on ports 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe request includes a path like \u003ccode\u003e/pods\u003c/code\u003e, \u003ccode\u003e/runningpods\u003c/code\u003e, \u003ccode\u003e/metrics\u003c/code\u003e, \u003ccode\u003e/exec\u003c/code\u003e, or \u003ccode\u003e/containerLogs\u003c/code\u003e to gather information about the cluster\u0026rsquo;s state and configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker examines the response to identify potential targets for lateral movement, such as specific pods or containers of interest.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute commands within a container using the \u003ccode\u003e/exec\u003c/code\u003e endpoint, potentially leveraging exposed service account tokens or other credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses gathered information to move laterally to other pods or nodes within the cluster, escalating privileges as they go.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises sensitive data or critical applications running within the Kubernetes cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to full cluster compromise. Attackers can gain unauthorized access to sensitive data, disrupt critical applications, and move laterally to other resources within the Kubernetes environment. This could lead to significant financial losses, reputational damage, and legal liabilities. The potential impact includes data breaches, denial of service, and complete control over the Kubernetes infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubelet API Access via Process Arguments\u003c/code\u003e to your SIEM to detect suspicious process executions.\u003c/li\u003e\n\u003cli\u003eRestrict access to Kubelet ports 10250/10255 at the network layer to limit pod-to-node or host-to-node traffic as recommended in the overview section.\u003c/li\u003e\n\u003cli\u003eHarden Kubelet configuration by disabling anonymous authentication and enforcing webhook authentication/authorization as described in the overview section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:18:23Z","date_published":"2026-05-04T21:18:23Z","id":"/briefs/2024-01-09-kubelet-access/","summary":"This rule detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain URLs targeting Kubelet ports (10250/10255) enabling discovery and lateral movement in Kubernetes environments.","title":"Potential Direct Kubelet API Access via Process Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kubelet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR"],"_cs_severities":["low"],"_cs_tags":["discovery","domain-trust","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003edsquery.exe\u003c/code\u003e utility is a command-line tool in Windows used to query Active Directory. Attackers may leverage \u003ccode\u003edsquery.exe\u003c/code\u003e to discover domain trust relationships within a Windows environment, mapping out potential lateral movement paths. This discovery is often an early stage in reconnaissance, before an attacker attempts to move laterally to other systems. This activity can be detected across various endpoint detection platforms including Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne. This activity is not inherently malicious, as administrators also use it for legitimate purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edsquery.exe\u003c/code\u003e with the argument \u003ccode\u003eobjectClass=trustedDomain\u003c/code\u003e to enumerate domain trusts.\u003c/li\u003e\n\u003cli\u003eThe command execution is logged by endpoint detection and response (EDR) solutions or Windows Security Event Logs.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of the \u003ccode\u003edsquery.exe\u003c/code\u003e command to identify trusted domains and their attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered trust information to plan lateral movement strategies.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to other systems within the trusted domains using stolen credentials or other exploits.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts enables attackers to map out the Active Directory environment and identify potential pathways for lateral movement. While the enumeration itself is low impact, it facilitates subsequent actions like credential theft, privilege escalation, and data exfiltration. This can lead to widespread compromise across the organization, impacting numerous systems and sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Enumerating Domain Trusts via DSQUERY.EXE\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any execution of \u003ccode\u003edsquery.exe\u003c/code\u003e with the argument \u003ccode\u003eobjectClass=trustedDomain\u003c/code\u003e to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003edsquery.exe\u003c/code\u003e to detect suspicious command-line arguments and execution patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-domain-trust-discovery/","summary":"Adversaries may use the `dsquery.exe` command-line utility to enumerate trust relationships for lateral movement in Windows multi-domain environments.","title":"Enumerating Domain Trusts via DSQUERY.EXE","url":"https://feed.craftedsignal.io/briefs/2026-05-domain-trust-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Amazon Web Services"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","getcalleridentity","ec2","discovery"],"_cs_type":"advisory","_cs_vendors":["Amazon","Google","MongoDB, Inc."],"content_html":"\u003cp\u003eThis detection identifies when an EC2 instance role session calls the AWS STS GetCallerIdentity API from a source Autonomous System (AS) Organization name that has not been previously observed. The GetCallerIdentity API is often used by adversaries to validate stolen instance role credentials from infrastructure outside the victim\u0026rsquo;s normal egress points. By baselining the combination of identity and source network, the rule reduces noise associated with stable NAT or AWS-classified egress, focusing on truly novel access patterns. This detection is specifically designed to complement other rules that may detect general GetCallerIdentity calls, by excluding previously seen combinations of user identity and source AS organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an EC2 instance through methods like exploiting a Server-Side Request Forgery (SSRF) vulnerability, compromising application code or exploiting IMDS abuse.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the instance\u0026rsquo;s IAM role to obtain temporary AWS credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to validate the stolen credentials using the \u003ccode\u003eGetCallerIdentity\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eGetCallerIdentity\u003c/code\u003e API call originates from an IP address associated with a new and unexpected Autonomous System Organization (ASO).\u003c/li\u003e\n\u003cli\u003eThe AWS CloudTrail logs record the \u003ccode\u003eGetCallerIdentity\u003c/code\u003e event, including the user identity ARN and the source AS organization name.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers due to the new combination of user identity and source AS organization.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the validated credentials to perform reconnaissance and identify valuable resources within the AWS environment (e.g., S3 buckets, databases).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exfiltrate sensitive data or deploy malicious workloads using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data stored within the AWS environment. The attacker may be able to escalate privileges, compromise other resources, and disrupt services. The potential impact includes data breaches, financial loss, and reputational damage. The lack of specific victim counts or sectors targeted suggests a broad applicability across various AWS users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS EC2 Role GetCallerIdentity from New Source AS Organization\u0026rdquo; to your SIEM to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.as.organization.name\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eGetCallerIdentity\u003c/code\u003e API calls, particularly those originating from unfamiliar source IP addresses and ASNs.\u003c/li\u003e\n\u003cli\u003eRevoke compromised IAM role sessions by stopping the affected EC2 instances or removing the role from the instance profile.\u003c/li\u003e\n\u003cli\u003eRotate any long-lived secrets accessible by the EC2 instance, based on the \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:57:28Z","date_published":"2026-05-01T20:57:28Z","id":"/briefs/2024-01-02-aws-ec2-role-getcalleridentity/","summary":"The rule detects when an EC2 instance role session calls AWS STS GetCallerIdentity from a new source autonomous system (AS) organization name, indicating potential credential theft and verification from outside expected egress paths.","title":"AWS EC2 Role GetCallerIdentity from New Source AS Organization","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-ec2-role-getcalleridentity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Amazon Web Services"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","discovery","vpn"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies the first-time occurrence of an IAM principal invoking discovery APIs from a source IP address associated with a known VPN autonomous system number (ASN). The rule focuses on high-signal discovery actions, such as credential checks, account enumeration, bucket inventory, compute inventory, and logging introspection within AWS CloudTrail logs. The goal is to detect potential reconnaissance activities originating from anonymizing networks, which may indicate malicious intent. The rule specifically omits broad \u003ccode\u003eList*\u003c/code\u003e and \u003ccode\u003eDescribe*\u003c/code\u003e patterns to reduce false positives, focusing instead on a curated list of ASNs commonly associated with VPN providers and hosting services. It\u0026rsquo;s important to validate ASN data using local intelligence and tailor the \u003ccode\u003eevent.action\u003c/code\u003e list based on your environment\u0026rsquo;s baseline. Hosting ASNs are dual-use and require careful monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to AWS credentials, possibly through compromised credentials or misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a VPN connection to mask their origin and evade geographic restrictions or monitoring. The VPN endpoint\u0026rsquo;s ASN belongs to a known VPN provider.\u003c/li\u003e\n\u003cli\u003eUsing the compromised credentials and VPN connection, the attacker calls the AWS API to execute \u003ccode\u003eGetCallerIdentity\u003c/code\u003e to validate access.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates IAM users and roles using \u003ccode\u003eListUsers\u003c/code\u003e and \u003ccode\u003eListRoles\u003c/code\u003e to map out the AWS environment\u0026rsquo;s identity landscape.\u003c/li\u003e\n\u003cli\u003eThe attacker inventories S3 buckets using \u003ccode\u003eListBuckets\u003c/code\u003e to identify potential targets for data exfiltration or manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker gathers information about EC2 instances, VPCs, and security groups using \u003ccode\u003eDescribeInstances\u003c/code\u003e, \u003ccode\u003eDescribeVpcs\u003c/code\u003e, and \u003ccode\u003eDescribeSecurityGroups\u003c/code\u003e to understand the network infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker lists available Lambda functions using \u003ccode\u003eListFunctions\u003c/code\u003e to discover potential code execution opportunities.\u003c/li\u003e\n\u003cli\u003eThe attacker collects logging configurations by calling \u003ccode\u003eDescribeTrails\u003c/code\u003e to identify logging gaps.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging these discovery techniques can lead to unauthorized access to sensitive data, privilege escalation, and lateral movement within the AWS environment. By mapping out the cloud infrastructure, attackers can identify vulnerabilities and misconfigurations to exploit. Compromised AWS environments can result in data breaches, service disruptions, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Discovery API Calls from VPN ASN by New Identity\u003c/code\u003e to detect anomalous discovery activity originating from VPN ASNs.\u003c/li\u003e\n\u003cli\u003eReview the curated list of VPN-oriented ASNs within the rule query and update it with local intelligence from sources like RIPE, BGPView, or PeeringDB.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logs to capture the necessary event data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rule\u0026rsquo;s \u003ccode\u003eevent.action\u003c/code\u003e filter to include additional discovery-related API calls relevant to your environment, based on baseline analysis.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by examining \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003eevent.action\u003c/code\u003e, \u003ccode\u003eevent.provider\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003esource.as.organization.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement automated response actions, such as revoking sessions or rotating keys, when unexpected discovery activity is detected from VPN ASNs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:57:28Z","date_published":"2026-05-01T20:57:28Z","id":"/briefs/2024-01-aws-vpn-discovery/","summary":"This rule detects the initial use of AWS discovery APIs from VPN-associated ASNs by a previously unseen identity, indicating potential reconnaissance activity.","title":"AWS Discovery API Calls from VPN ASN by New Identity","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-vpn-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS S3","AWS CloudTrail"],"_cs_severities":["low"],"_cs_tags":["aws","s3","cloudtrail","discovery","enumeration","reconnaissance"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief covers suspicious activity related to the rapid enumeration of AWS S3 buckets. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs from the same source IP address within a short timeframe. This pattern is often associated with reconnaissance efforts, security scanning tools, or post-compromise enumeration activities. The behavior is similar to that observed with CSPM tools and by threat actors like Team PCP. The detection specifically excludes AWS service principals and requires programmatic-style sessions (i.e., not Management Console credentials). It focuses on scenarios where resource and identity fields are populated to avoid skewed results from null values. The detection threshold is set to greater than 15 distinct \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e values within a 10-second window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment using compromised credentials or through an exposed IAM role. (T1530)\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to AWS using the obtained credentials, creating a programmatic session.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a series of \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPublicAccessBlock\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e, \u003ccode\u003eGetBucketPolicyStatus\u003c/code\u003e, and \u003ccode\u003eGetBucketVersioning\u003c/code\u003e API calls to S3.\u003c/li\u003e\n\u003cli\u003eThese API calls are directed towards multiple distinct S3 buckets within a short timeframe (10 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker collects information about the bucket\u0026rsquo;s access control lists (ACLs), public access blocks, policies, versioning status, and other metadata. (T1526, T1580, T1619)\u003c/li\u003e\n\u003cli\u003eThe collected information is analyzed to identify publicly accessible buckets, misconfigurations, or sensitive data storage locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses identified vulnerabilities to exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement within the AWS environment, leveraging the discovered information to compromise other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of S3 buckets can lead to the discovery of sensitive data, misconfigurations, and publicly accessible resources. This can result in data breaches, unauthorized access, and further compromise of the AWS environment. The enumeration allows an attacker to map out the S3 storage landscape, identifying targets for data exfiltration or privilege escalation. The rapid nature of the enumeration suggests automated scanning or reconnaissance, potentially indicating a larger attack campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect rapid S3 bucket enumeration activity based on AWS CloudTrail logs, adjusting the threshold of 15 distinct buckets to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address (\u003ccode\u003esource.ip\u003c/code\u003e), AWS principal ARN (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e), and the list of accessed buckets (\u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with the identified principal to ensure least privilege for S3 read APIs.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for related events, such as \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, \u003ccode\u003eAssumeRole\u003c/code\u003e, or IAM changes, occurring within ±30 minutes of the detected enumeration activity.\u003c/li\u003e\n\u003cli\u003eImplement network-level restrictions on the source IP address if it is not authorized to perform S3 enumeration.\u003c/li\u003e\n\u003cli\u003eDocument approved scanning accounts and add user agent filters to the provided Sigma rule to reduce noise from those identities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T19:43:38Z","date_published":"2026-05-01T19:43:38Z","id":"/briefs/2024-01-aws-s3-bucket-discovery/","summary":"An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.","title":"Rapid Enumeration of AWS S3 Buckets","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-s3-bucket-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","cloudtrail","discovery"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious AWS reconnaissance activity originating from the AWS CLI. It triggers when a single AWS identity (IAM user, role, or service principal) makes more than five unique discovery-related API calls (such as \u003ccode\u003eDescribe*\u003c/code\u003e, \u003ccode\u003eList*\u003c/code\u003e, \u003ccode\u003eGet*\u003c/code\u003e, or \u003ccode\u003eGenerate*\u003c/code\u003e) within a 10-second window. The rule is designed to detect adversaries attempting to map out an AWS environment after gaining unauthorized access through compromised credentials or a compromised EC2 instance. The tool focuses on API calls related to key AWS services like EC2, IAM, S3, and KMS. This rule helps defenders identify and respond to early-stage reconnaissance activity, preventing further exploitation or data exfiltration. The rule excludes activity from AWS service accounts and the AWS Management Console, and it requires a minimum stack version of 9.2.0 with AWS integration version 4.6.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains access to an AWS environment, potentially through compromised credentials or by compromising an EC2 instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Usage:\u003c/strong\u003e The attacker leverages the AWS CLI to interact with the AWS environment using the compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker initiates a series of discovery API calls to gather information about the AWS infrastructure. This includes using \u003ccode\u003eDescribe*\u003c/code\u003e, \u003ccode\u003eList*\u003c/code\u003e, \u003ccode\u003eGet*\u003c/code\u003e, and \u003ccode\u003eGenerate*\u003c/code\u003e commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Enumeration:\u003c/strong\u003e The attacker enumerates various AWS resources, including EC2 instances, IAM roles, S3 buckets, and KMS keys, by querying their respective APIs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Identification:\u003c/strong\u003e The attacker analyzes the gathered information to identify potential targets for further exploitation, such as vulnerable EC2 instances or misconfigured S3 buckets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the compromised credentials have limited permissions, the attacker might attempt to escalate privileges to gain broader access to the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker might attempt to move laterally to other AWS accounts or services to expand their reach and impact.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e Based on the attacker\u0026rsquo;s goals, they may attempt to exfiltrate sensitive data or cause disruption by modifying or deleting resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive data, such as customer information, intellectual property, or financial records. The attacker could also disrupt business operations by modifying or deleting critical resources. Identifying and responding to such activity in a timely manner can help prevent significant damage and maintain the security and integrity of the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to your SIEM and tune for your environment to detect the described reconnaissance activity.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions and accounts in your organization to ensure the required logs are available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the affected AWS identity, the source IP address, and the specific API calls made (as captured by the Sigma rule).\u003c/li\u003e\n\u003cli\u003eIf suspicious activity is confirmed, follow AWS\u0026rsquo;s incident-handling guidance, including disabling or rotating the access key used and restricting outbound connectivity from the source (reference the AWS Security Incident Response Guide).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T19:43:38Z","date_published":"2026-05-01T19:43:38Z","id":"/briefs/2024-11-aws-discovery-api-calls/","summary":"This rule detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI, potentially indicating reconnaissance activity following credential compromise or compromised EC2 instance access.","title":"AWS Discovery API Calls via CLI from a Single Resource","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","sts","discovery"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe AWS Security Token Service (STS) GetCallerIdentity API allows a user to retrieve information about the IAM user or role associated with the credentials being used. While a legitimate user should already know the account they are operating in, an attacker with compromised credentials may use this API to verify the validity of the credentials and enumerate account details. This activity, especially when observed for the first time from a particular user identity, can indicate malicious reconnaissance. This detection focuses on identifying the initial use of the GetCallerIdentity API, excluding instances where an assumed role is involved due to the common practice of using GetCallerIdentity after assuming a role. This event is flagged as anomalous, potentially signaling unauthorized access or credential misuse within an AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to AWS credentials, either through phishing, credential stuffing, or compromised systems.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to authenticate to the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e API call to identify the associated AWS account ID, IAM user, or role.\u003c/li\u003e\n\u003cli\u003eThe AWS STS service processes the request and returns the identity information to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the returned identity information to understand the scope and privileges of the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to perform further reconnaissance activities, such as identifying accessible resources and services.\u003c/li\u003e\n\u003cli\u003eBased on the discovered information, the attacker may attempt to escalate privileges or move laterally within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe final objective could include data exfiltration, deployment of malicious workloads, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and undetected reconnaissance can lead to significant damage, including unauthorized access to sensitive data, compromised workloads, and disruption of critical services. The impact can range from data breaches and financial losses to reputational damage and regulatory fines. Depending on the scope of the compromised credentials, the attacker may be able to access and control a large portion of the AWS environment. In the event of a breach, the organization may incur costs related to incident response, data recovery, and legal settlements.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS STS GetCallerIdentity API Called for the First Time by New Identity\u0026rdquo; to your SIEM and tune for your environment to detect anomalous usage of the GetCallerIdentity API.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the source IP address, user agent, and the user identity associated with the API call.\u003c/li\u003e\n\u003cli\u003eReview IAM permission policies for the user identity associated with the GetCallerIdentity API call to ensure the least privilege principle is followed.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions in your account to ensure comprehensive event logging, as required by the detection rule.\u003c/li\u003e\n\u003cli\u003eConsider adding exceptions based on \u003ccode\u003euser.id\u003c/code\u003e or \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e values for automation workflows that legitimately rely on the GetCallerIdentity API, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users to mitigate the risk of credential compromise, as suggested in the documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T16:48:32Z","date_published":"2026-04-10T16:48:32Z","id":"/briefs/2024-10-aws-sts-getcalleridentity/","summary":"An adversary with access to compromised AWS credentials may attempt to verify their validity and determine the account they are using by calling the STS GetCallerIdentity API, potentially indicating credential compromise and unauthorized discovery activity.","title":"AWS STS GetCallerIdentity API Called for the First Time","url":"https://feed.craftedsignal.io/briefs/2024-10-aws-sts-getcalleridentity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["kubernetes","enumeration","discovery"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential endpoint enumeration attempts within a Kubernetes environment. An attacker, or a compromised account, may attempt to map accessible resources within the Kubernetes cluster by issuing a burst of API calls across multiple endpoints from a single user and source IP address. This is achieved through a combination of both successful and failed API requests.  The behavior is not typical of normal Kubernetes cluster operation. Attackers leverage this reconnaissance to identify high-value targets like secrets, pods, or nodes before attempting privilege escalation or lateral movement. The rule specifically looks for unusual patterns in Kubernetes audit logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Kubernetes cluster, potentially through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl\u003c/code\u003e or a similar tool to send a series of API requests.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate Kubernetes API endpoints using \u0026ldquo;get\u0026rdquo;, \u0026ldquo;list\u0026rdquo;, \u0026ldquo;watch\u0026rdquo;, \u0026ldquo;create\u0026rdquo;, \u0026ldquo;update\u0026rdquo;, and \u0026ldquo;patch\u0026rdquo; verbs.\u003c/li\u003e\n\u003cli\u003eThe requests target a variety of resources, including pods, services, deployments, secrets, and nodes.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the responses to identify endpoints and resources that are accessible with the current credentials. Successful and failed responses are both valuable for mapping permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies valuable targets, such as secrets or sensitive data stored in configmaps.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges by exploiting identified vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the cluster to gain access to other resources or workloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration can lead to privilege escalation, lateral movement, and data exfiltration within the Kubernetes cluster. Attackers can identify and compromise sensitive resources such as secrets, configmaps, and pods. The number of affected systems and the scope of the impact depend on the extent of the attacker\u0026rsquo;s access and the sensitivity of the compromised resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Kubernetes audit logging to capture API server requests and responses, which is required for the provided rules and the original Elastic rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect enumeration attempts and tune them based on your environment.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by assigning appropriate RBAC roles to users and service accounts to limit potential enumeration damage.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for unusual API request patterns, specifically a high number of requests from a single user and IP address.\u003c/li\u003e\n\u003cli\u003eReview RBAC bindings for unexpected or overly broad access as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eSegment API access with network controls (private endpoint/VPN allowlists) as suggested in the response section of the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-05T13:13:30Z","date_published":"2026-03-05T13:13:30Z","id":"/briefs/2024-01-26-kubernetes-enumeration/","summary":"A single user and source IP attempts to enumerate Kubernetes endpoints, issuing API requests across multiple endpoints to identify accessible resources for further exploitation.","title":"Kubernetes Endpoint Permission Enumeration","url":"https://feed.craftedsignal.io/briefs/2024-01-26-kubernetes-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory Web Service"],"_cs_severities":["medium"],"_cs_tags":["active-directory","enumeration","adws","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) over a network, providing a web-based interface for directory services. Adversaries may exploit ADWS to enumerate network resources and user accounts, gaining insights into the environment. This attack involves loading Active Directory related modules and establishing network connections to the ADWS dedicated TCP port 9389. The goal is to gather information about the domain, user accounts, and permissions, which can be used for lateral movement, privilege escalation, and data exfiltration. Detection focuses on identifying suspicious processes loading \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e or \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e and then connecting to the ADWS port.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance tool or script (e.g., PowerShell) on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe reconnaissance tool loads Active Directory related modules such as \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e and \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe reconnaissance tool attempts to establish a network connection to the ADWS service on TCP port 9389, the dedicated port for ADWS.\u003c/li\u003e\n\u003cli\u003eThe tool queries ADWS to retrieve information about domain users (T1087.002), groups (T1069.002), systems (T1018), and permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts and potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain detailed knowledge of the Active Directory environment. This information can be used to identify high-value targets, compromise privileged accounts, move laterally within the network, and ultimately achieve their objectives, which could include data theft, ransomware deployment, or disruption of services. The impact can range from data breaches to complete compromise of the Active Directory domain, depending on the attacker\u0026rsquo;s goals and the level of access they achieve.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADWS Enumeration via Suspicious Library Loading\u0026rdquo; to detect processes loading AD-related DLLs (e.g., \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e, \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADWS Enumeration via Network Connection\u0026rdquo; to monitor for network connections to destination port 9389 from unusual processes.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative tools or scripts that load Active Directory-related modules and connect to the ADWS port as described in the \u0026ldquo;False positive analysis\u0026rdquo; section of the original rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T00:00:00Z","date_published":"2024-01-31T00:00:00Z","id":"/briefs/2024-01-adws-enumeration/","summary":"Adversaries may abuse the Active Directory Web Service (ADWS) to enumerate network resources and user accounts, by loading AD-related modules followed by a network connection to the ADWS dedicated TCP port.","title":"Potential Enumeration via Active Directory Web Service","url":"https://feed.craftedsignal.io/briefs/2024-01-adws-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["discovery","evasion","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using obfuscated IP addresses (e.g., hexadecimal, octal, or other encoded representations) within download commands to bypass security measures that rely on simple IP address blacklisting or pattern matching. This technique makes it more difficult to identify malicious network connections based on simple string matching. The observed commands include \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e, \u003ccode\u003eInvoke-RestMethod\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003eDownloadFile\u003c/code\u003e, and \u003ccode\u003eDownloadString\u003c/code\u003e. Defenders need to detect these obfuscated IPs to identify and block malicious download attempts. This technique has been observed across various attack campaigns and is a common tactic used to deliver malware while attempting to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command containing an obfuscated IP address. This may involve converting a standard IP address into its hexadecimal, octal, or decimal representation.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes a command-line tool such as \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, or PowerShell\u0026rsquo;s \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e to initiate a download. The command includes the obfuscated IP within a URL.\u003c/li\u003e\n\u003cli\u003eThe command interpreter resolves the obfuscated IP address back to its standard format before initiating the network connection.\u003c/li\u003e\n\u003cli\u003eThe target host establishes a connection to the attacker\u0026rsquo;s server at the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server delivers a malicious payload, such as a script, executable, or document containing macros.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed on the target system, potentially leading to further compromise, such as privilege escalation or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the download and execution of malware, potentially compromising the targeted system. This can result in data breaches, system disruption, or financial loss. The use of obfuscation techniques makes it more difficult to detect and prevent these attacks, increasing the risk of successful compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Obfuscated IP Download Activity\u0026rdquo; to your SIEM to detect the use of obfuscated IP addresses in download commands. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events that match the Sigma rule, paying close attention to the command-line arguments.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional network-based detection mechanisms to identify connections to suspicious IP addresses, even if they are obfuscated.\u003c/li\u003e\n\u003cli\u003eMonitor process creation logs (Sysmon) for processes executing download commands like \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e, \u003ccode\u003eInvoke-RestMethod\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003eDownloadFile\u003c/code\u003e, and \u003ccode\u003eDownloadString\u003c/code\u003e with suspicious arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:29:00Z","date_published":"2024-01-27T18:29:00Z","id":"/briefs/2024-01-obfuscated-ip-download/","summary":"This brief details the use of obfuscated IP addresses within download commands, often employed to evade detection by hiding the true destination of malicious downloads.","title":"Detection of Obfuscated IP Address Usage in Download Commands","url":"https://feed.craftedsignal.io/briefs/2024-01-obfuscated-ip-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","group_policy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers may leverage the \u003ccode\u003egpresult.exe\u003c/code\u003e utility, a built-in Windows tool, to gather information about Group Policy Objects (GPOs) within an Active Directory environment. This reconnaissance activity allows adversaries to understand the existing security policies, identify potential misconfigurations, and discover pathways for privilege escalation or lateral movement. The rule focuses on detecting the execution of \u003ccode\u003egpresult.exe\u003c/code\u003e with specific command-line arguments (\u003ccode\u003e/z\u003c/code\u003e, \u003ccode\u003e/v\u003c/code\u003e, \u003ccode\u003e/r\u003c/code\u003e, \u003ccode\u003e/x\u003c/code\u003e) commonly associated with malicious reconnaissance. This behavior is typically observed after an initial compromise, where the attacker is attempting to map out the network and identify valuable targets. This activity matters for defenders as it provides an early indicator of post-compromise activity and can help prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003egpresult.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe attacker uses command-line arguments such as \u003ccode\u003e/z\u003c/code\u003e, \u003ccode\u003e/v\u003c/code\u003e, \u003ccode\u003e/r\u003c/code\u003e, or \u003ccode\u003e/x\u003c/code\u003e to request detailed information about Group Policy settings.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egpresult.exe\u003c/code\u003e queries the Active Directory domain to retrieve GPO information applicable to the user or computer.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003egpresult.exe\u003c/code\u003e to identify security policies, user rights assignments, and other relevant configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential weaknesses in the GPO configuration, such as overly permissive user rights or insecure password policies.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to exploit identified weaknesses and escalate privileges or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a comprehensive understanding of the target environment\u0026rsquo;s security posture, enabling attackers to identify and exploit weaknesses for privilege escalation and lateral movement. While the source does not specify a number of victims or sectors targeted, the impact of a successful attack can range from data breaches and financial losses to reputational damage and disruption of operations. The discovery of misconfigured group policies can open doors for attackers to compromise critical systems and data within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Group Policy Discovery via GPResult\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003egpresult.exe\u003c/code\u003e with suspicious parameters.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture command-line arguments used with \u003ccode\u003egpresult.exe\u003c/code\u003e and other executables.\u003c/li\u003e\n\u003cli\u003eReview and harden Group Policy configurations to minimize the risk of exploitation by attackers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Group Policy Discovery via GPResult\u0026rdquo; to determine the context and intent of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-gpresult-discovery/","summary":"Detects the execution of `gpresult.exe` with arguments `/z`, `/v`, `/r`, or `/x` on Windows systems, which attackers may use during reconnaissance to enumerate Group Policy Objects and identify opportunities for privilege escalation or lateral movement.","title":"Group Policy Discovery via Microsoft GPResult Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-gpresult-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows NT Domain"],"_cs_severities":["low"],"_cs_tags":["discovery","domain trust","lateral movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility is a command-line tool used to manage and troubleshoot Windows NT domains. While legitimate domain administrators may use this utility for information gathering, adversaries can also abuse it to enumerate domain trusts and gain insight into trust relationships, which exposes the state of Domain Controller (DC) replication within a Windows NT Domain. This activity is more suspicious in environments with Windows Server 2012 and newer, where its usage is less common for legitimate purposes. Attackers can leverage this information to facilitate lateral movement and other malicious activities within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enltest.exe\u003c/code\u003e with specific arguments such as \u003ccode\u003e/DOMAIN_TRUSTS\u003c/code\u003e, \u003ccode\u003e/DCLIST:*\u003c/code\u003e, \u003ccode\u003e/DCNAME:*\u003c/code\u003e, \u003ccode\u003e/DSGET*\u003c/code\u003e, \u003ccode\u003e/LSAQUERYFTI:*\u003c/code\u003e, \u003ccode\u003e/PARENTDOMAIN\u003c/code\u003e, or \u003ccode\u003e/BDC_QUERY:*\u003c/code\u003e to enumerate domain trusts.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility queries the Active Directory to gather information about domain trusts, domain controllers, and other domain-related information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003enltest.exe\u003c/code\u003e to identify trust relationships, domain controllers, and other relevant information about the domain infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to map out potential lateral movement paths within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages discovered trust relationships to authenticate to other domains or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems or domains, leveraging the discovered trust relationships and compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence and continues to perform malicious activities, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts via \u003ccode\u003enltest.exe\u003c/code\u003e can provide attackers with valuable information to facilitate lateral movement and escalate privileges within a Windows NT Domain. This can lead to the compromise of sensitive data, disruption of critical services, and ultimately, a complete takeover of the affected environment. While the specific number of victims and sectors targeted are unknown, the impact can be significant for organizations relying on Active Directory for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003enltest.exe\u003c/code\u003e with command-line arguments indicative of domain trust discovery, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003enltest.exe\u003c/code\u003e execution, especially when initiated by non-administrative users or from unusual locations, as identified by the Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process execution data for the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enltest.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-11T17:49:00Z","date_published":"2024-01-11T17:49:00Z","id":"/briefs/2024-01-nltest-domain-trust-discovery/","summary":"Adversaries may use the `nltest.exe` command-line utility to enumerate domain trusts and gain insight into trust relationships to facilitate lateral movement within a Microsoft Windows NT Domain.","title":"NLTEST.EXE Used for Domain Trust Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["discovery","powershell","share-enumeration","lateral-movement","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts utilizing ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or native Windows API calls for share enumeration. These techniques are commonly used by attackers to map accessible network shares within an environment. This reconnaissance is often a precursor to data collection, lateral movement, or the deployment of ransomware. The activity is detected via script block logging, and focuses on identifying specific function calls and API usage within the PowerShell script content. Defenders should be aware of this activity, particularly when performed by unexpected users or on unusual systems, as it may indicate malicious reconnaissance within the network. The references indicate that this activity can lead to corporate insurance policy exfiltration or Conti ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a fileless execution method.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes ShareFinder functions (Invoke-ShareFinder, Invoke-ShareFinderThreaded) or Windows share enumeration APIs (NetShareEnum, NetApiBufferFree) to discover network shares.\u003c/li\u003e\n\u003cli\u003eThe script identifies accessible network shares by leveraging API calls and parsing the results for share names (shi1_netname) and remarks (shi1_remark).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the identified shares to determine those that are accessible and contain valuable data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to access these shares using compromised credentials or exploiting existing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eOnce access is gained, the attacker may collect sensitive data from the shares, move laterally to other systems, or deploy ransomware.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, system compromise, or financial gain through ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reconnaissance technique can lead to significant data breaches, lateral movement within the network, and potential ransomware deployment. Organizations that fail to detect and prevent share enumeration may suffer financial losses, reputational damage, and operational disruption. The referenced \u0026ldquo;Stolen Images\u0026rdquo; campaign led to Conti ransomware deployment, and the \u0026ldquo;Hunting for corporate insurance policies\u0026rdquo; post highlights data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the necessary events for detection (as referenced in the rule setup).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration Script via Invoke-ShareFinder\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration via NetShareEnum API\u0026rdquo; to detect share enumeration using native Windows APIs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the PowerShell launch context and the scope of the share discovery (see triage steps in the original rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict PowerShell execution policies to prevent unauthorized script execution, especially from user-writable locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-powershell-share-enumeration/","summary":"Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.","title":"PowerShell Share Enumeration via ShareFinder or Native APIs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-powershell-share-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows Defender Advanced Threat Protection","SupportAssistAgent","Obkio Agent","SolarWinds Agent","SecuraAgent"],"_cs_severities":["low"],"_cs_tags":["discovery","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Dell","Obkio","SolarWinds","Infraon Corp"],"content_html":"\u003cp\u003eThis detection rule identifies instances where the SYSTEM account is used to execute account discovery utilities, such as \u003ccode\u003ewhoami.exe\u003c/code\u003e and \u003ccode\u003enet1.exe\u003c/code\u003e. This behavior is commonly observed after an attacker has successfully achieved privilege escalation within a Windows environment, or after exploiting a web application. The rule is designed to detect post-exploitation discovery activity where an adversary attempts to gain situational awareness by enumerating accounts and system information using the elevated SYSTEM context. The rule leverages data from Elastic Defend and Sysmon Event ID 1 to identify these behaviors, helping defenders spot potential privilege escalation and lateral movement attempts. The original rule was created 2020/03/18 and updated 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through exploiting a vulnerability in a web application or through phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to the SYSTEM account, possibly by exploiting a local privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e via the SYSTEM account to enumerate user accounts and gather system information.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e process is spawned by a parent process such as a web server process (e.g., w3wp.exe) or a service process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered account information to plan further actions, such as lateral movement or credential theft.\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003enet1.exe\u003c/code\u003e to query domain information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained information to identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is often data exfiltration, deployment of ransomware, or further compromise of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Although this rule has low severity, the execution of discovery commands by the SYSTEM account can be a critical indicator of compromise. Early detection of such activity can prevent more severe damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect account discovery commands executed via the SYSTEM account and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the necessary data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process execution chain to identify the source of the SYSTEM account usage.\u003c/li\u003e\n\u003cli\u003eIf the process tree includes a web-application server process, investigate suspicious file creation or modification to assess for webshell backdoors.\u003c/li\u003e\n\u003cli\u003eReview and harden web application security to prevent initial access and privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-09-system-account-discovery/","summary":"The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.","title":"Account Discovery Command via SYSTEM Account","url":"https://feed.craftedsignal.io/briefs/2024-01-09-system-account-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["execution","initial-access","defense-evasion","discovery"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PDF reader applications as an initial access vector, exploiting vulnerabilities within these programs or using social engineering to trick users into opening malicious PDF documents. Upon successful exploitation, adversaries often spawn built-in Windows utilities from the compromised PDF reader process to perform reconnaissance, escalate privileges, or establish persistence. This activity is designed to blend in with normal system operations, making it difficult to detect without specific monitoring and detection rules. The targeted software commonly includes Adobe Acrobat, Adobe Reader, and Foxit Reader. Defenders should be vigilant for unexpected child processes of PDF readers, especially command-line interpreters and system administration tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious PDF document via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user opens the PDF document using a vulnerable PDF reader application (e.g., Adobe Acrobat, Foxit Reader).\u003c/li\u003e\n\u003cli\u003eThe PDF document exploits a vulnerability or uses a malicious script to execute an arbitrary command.\u003c/li\u003e\n\u003cli\u003eThe PDF reader application spawns a command-line interpreter (e.g., cmd.exe, powershell.exe) or a system administration tool (e.g., reg.exe, net.exe).\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands to gather system information (e.g., ipconfig.exe, systeminfo.exe, whoami.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to discover network configuration, user accounts, or running processes.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the spawned process to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and can proceed with lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PDF reader applications can lead to initial access, privilege escalation, and further compromise of the affected system. While individual incidents may have a low risk score, widespread exploitation can lead to significant data breaches, system downtime, and reputational damage. The use of legitimate system utilities for malicious purposes can make detection challenging, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of suspicious child processes (Sysmon Event ID 1, Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious PDF Reader Child Process\u0026rdquo; to your SIEM and tune for your environment to detect the execution of suspicious processes spawned by PDF reader applications.\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from PDF reader applications to unusual or external IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T18:45:00Z","date_published":"2024-01-04T18:45:00Z","id":"/briefs/2024-01-suspicious-pdf-child-process/","summary":"Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.","title":"Suspicious PDF Reader Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-pdf-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Windows"],"_cs_severities":["low"],"_cs_tags":["discovery","account-discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eAttackers often perform reconnaissance activities within a compromised environment to understand the available resources and potential targets. This reconnaissance helps them plan subsequent actions, such as privilege escalation and lateral movement. This activity involves using built-in Windows utilities like \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e to enumerate administrator-related user accounts and groups. This information can reveal potential targets for credential compromise or other post-exploitation activities. Lower privileged accounts commonly perform this enumeration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e with arguments to list users and groups.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output for administrator-related keywords like \u0026ldquo;admin\u0026rdquo;, \u0026ldquo;Domain Admins\u0026rdquo;, \u0026ldquo;Enterprise Admins\u0026rdquo;, \u0026ldquo;Remote Desktop Users\u0026rdquo;, or \u0026ldquo;Organization Management\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e to query user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from \u003ccode\u003ewmic.exe\u003c/code\u003e to identify administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged accounts to target for credential theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the identified accounts to perform lateral movement or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of administrator accounts allows an attacker to identify high-value targets within the environment. This can lead to credential theft, privilege escalation, lateral movement, and ultimately, unauthorized access to sensitive data or systems. While the risk score is low, this activity serves as a precursor to more serious compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e commands with arguments related to user and group enumeration using the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of lower-privileged accounts executing these commands and filter out authorized administrative accounts performing the same actions.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture the necessary events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:14:00Z","date_published":"2024-01-03T17:14:00Z","id":"/briefs/2024-01-admin-recon/","summary":"Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.","title":"Windows Account Discovery of Administrator Accounts","url":"https://feed.craftedsignal.io/briefs/2024-01-admin-recon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["enumeration","wmi","discovery","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can leverage the Windows Management Instrumentation (WMI) to execute commands for reconnaissance and enumeration within a compromised system. This involves spawning native Windows tools via the WMI Provider Service (WMIPrvSE). This activity is often used to gather system and network information in a stealthy manner, which could be part of a larger attack, such as lateral movement or privilege escalation. This behavior matters because it allows adversaries to gather information about the target environment without using easily detectable methods, potentially leading to further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to execute a reconnaissance command.\u003c/li\u003e\n\u003cli\u003eWMIPrvSE.exe is invoked to execute the attacker\u0026rsquo;s specified command.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands such as \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e via WMIPrvSE.exe to gather network configuration details, user information, and system information.\u003c/li\u003e\n\u003cli\u003eThe enumerated information is collected and potentially exfiltrated to a command and control server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to identify further targets within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems using stolen credentials or exploited vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of enumeration commands via WMIPrvSE allows attackers to gather sensitive information about the system and network environment. This information can be used to facilitate lateral movement, privilege escalation, and data theft, potentially leading to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of enumeration commands (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Enumeration Command Spawned via WMIPrvSE\u0026rdquo; to your SIEM to detect suspicious WMIPrvSE activity (Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of WMIPrvSE spawning common enumeration tools such as \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement following successful enumeration (Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-wmiprvse-enumeration/","summary":"This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.","title":"Suspicious Enumeration Commands Spawned via WMIPrvSE","url":"https://feed.craftedsignal.io/briefs/2024-01-wmiprvse-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS CloudTrail","EKS IAM Roles for Service Accounts"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","kubernetes","lateral-movement","credential-access","discovery"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection rule identifies lateral movement in AWS environments stemming from Kubernetes service accounts utilizing \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e. It focuses on detecting instances where credentials obtained via this method are subsequently used to perform several distinct AWS control-plane actions within a single session. This behavior deviates from typical pod traffic and could signify unauthorized access or privilege escalation. The rule prioritizes the detection of sensitive API usage, including reconnaissance activities, access to secrets, IAM modifications, and compute creation events, while strategically excluding high-volume S3 data-plane operations to minimize false positives. The targeted environments are those leveraging EKS IAM Roles for Service Accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA Kubernetes service account projects a token.\u003c/li\u003e\n\u003cli\u003eThe service account uses \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e to exchange the token for short-lived IAM credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the assumed role to perform reconnaissance activities such as \u003ccode\u003eListUsers\u003c/code\u003e, \u003ccode\u003eListRoles\u003c/code\u003e, and \u003ccode\u003eDescribeInstances\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access secrets using actions like \u003ccode\u003eGetSecretValue\u003c/code\u003e and \u003ccode\u003eListSecrets\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by modifying IAM policies with actions like \u003ccode\u003eAttachRolePolicy\u003c/code\u003e and \u003ccode\u003ePutRolePolicy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create new users or roles within the AWS environment using actions like \u003ccode\u003eCreateUser\u003c/code\u003e and \u003ccode\u003eCreateRole\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement using actions like \u003ccode\u003eSendCommand\u003c/code\u003e and \u003ccode\u003eStartSession\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to evade detection by stopping logging with the \u003ccode\u003eStopLogging\u003c/code\u003e action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, privilege escalation, and the potential compromise of the entire AWS environment. Lateral movement within the AWS infrastructure allows attackers to gain access to critical systems and data, potentially leading to data breaches, service disruptions, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potentially malicious activity related to \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM role trust policies associated with Kubernetes service accounts, specifically focusing on OIDC trust conditions, as referenced in the \u003ca href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html\"\u003eIAM OIDC identity provider\u003c/a\u003e documentation.\u003c/li\u003e\n\u003cli\u003eImplement strict least privilege principles for Kubernetes service accounts, limiting their access to only the necessary AWS resources, as covered in \u003ca href=\"https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html\"\u003eEKS IAM roles for service accounts\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e events followed by suspicious API calls, focusing on the actions listed in the Sigma rule detection patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-aws-k8s-lateral-movement/","summary":"This rule detects lateral movement in AWS environments originating from Kubernetes service accounts by identifying instances where credentials obtained for a service account are used for multiple distinct AWS control-plane actions, potentially indicating unauthorized access.","title":"AWS Lateral Movement from Kubernetes Service Account via AssumeRoleWithWebIdentity","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-k8s-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["msiexec","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying suspicious behavior where \u003ccode\u003emsiexec.exe\u003c/code\u003e, a legitimate Windows utility for installing, uninstalling, and configuring software, is used to spawn multiple discovery commands. This activity is often associated with attackers attempting to gather system information, enumerate the network, and identify potential targets for lateral movement. The technique is typically observed post-compromise, after initial access has been achieved through other means. This behavior matters to defenders as it is a key indicator of malicious activity and potential privilege escalation or data exfiltration attempts. The detection leverages Endpoint Detection and Response (EDR) data, specifically process creation events, to identify instances where \u003ccode\u003emsiexec.exe\u003c/code\u003e is the parent process of common discovery tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a vulnerability, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003emsiexec.exe\u003c/code\u003e to execute discovery commands.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e spawns processes such as \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003esysteminfo.exe\u003c/code\u003e, or \u003ccode\u003ewmic.exe\u003c/code\u003e to gather network configuration, user information, and system details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses commands within \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to execute the discovery commands. For example, \u003ccode\u003ecmd.exe /c ipconfig /all\u003c/code\u003e or \u003ccode\u003epowershell.exe Get-NetIPConfiguration\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output of these commands to identify valuable information such as domain names, user accounts, and system architecture.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to identify potential targets for lateral movement and privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems using stolen credentials or exploits.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to a comprehensive understanding of the compromised environment. Attackers can leverage gathered information to escalate privileges, move laterally to other systems, and ultimately exfiltrate sensitive data or deploy ransomware. The impact could range from a single compromised workstation to a complete network breach, depending on the scope of the attacker\u0026rsquo;s activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process monitoring and command-line logging on all endpoints to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMSIExec Spawning Discovery Commands\u003c/code\u003e to your SIEM and tune it to your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003emsiexec.exe\u003c/code\u003e spawning multiple discovery commands, as this behavior is unusual in normal system operations.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles to limit the impact of compromised accounts and prevent lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-msiexec-discovery/","summary":"Detection of msiexec.exe spawning discovery commands indicating potential reconnaissance activity by attackers for system information gathering and lateral movement.","title":"MSIExec Spawning Discovery Commands","url":"https://feed.craftedsignal.io/briefs/2024-01-msiexec-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["kubernetes","discovery","reconnaissance"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAfter gaining initial access to a Kubernetes cluster, adversaries often conduct reconnaissance to understand the environment before further actions like exfiltration or privilege escalation. This involves mapping the cluster\u0026rsquo;s structure, identifying workloads, and understanding role-based access control (RBAC) configurations. This reconnaissance is achieved by rapidly querying various API resources, including namespaces, pods, roles, ClusterRoles, ConfigMaps, and ServiceAccounts. The activity is characterized by a burst of \u003ccode\u003eget\u003c/code\u003e and \u003ccode\u003elist\u003c/code\u003e requests across multiple resource types within a short timeframe, which is atypical for normal cluster operations and may indicate malicious probing or permission reconnaissance. This detection focuses on identifying such cross-resource bursts from a single client to distinguish reconnaissance activities from routine automation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Kubernetes cluster using compromised credentials or by exploiting a vulnerability. (T1190, T1566)\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Kubernetes API server using the compromised credentials or a valid service account token.\u003c/li\u003e\n\u003cli\u003eThe attacker begins enumerating namespaces to understand the logical divisions within the cluster using \u003ccode\u003ekubectl get namespaces\u003c/code\u003e or equivalent API calls. (T1068)\u003c/li\u003e\n\u003cli\u003eThe attacker queries pods within the discovered namespaces to identify running workloads and potential targets. (T1068)\u003c/li\u003e\n\u003cli\u003eThe attacker lists roles and cluster roles to understand the existing RBAC configurations and identify potential privilege escalation opportunities. (T1069)\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves service accounts to identify applications and their associated permissions, potentially discovering more attack vectors.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the collected information to identify vulnerable services, misconfigured permissions, or sensitive data.\u003c/li\u003e\n\u003cli\u003eBased on the reconnaissance, the attacker proceeds with lateral movement, privilege escalation, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance allows attackers to gain a comprehensive understanding of the Kubernetes environment, facilitating further malicious activities such as lateral movement, privilege escalation, and data exfiltration. This can lead to the compromise of sensitive data, disruption of services, and unauthorized access to critical resources. The impact is magnified in clusters with weak RBAC policies or exposed sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Kubernetes Multi-Resource Discovery\u0026rdquo; to your SIEM and tune for your environment to detect reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by pivoting on \u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003euser_agent.original\u003c/code\u003e to determine the sequence of API calls.\u003c/li\u003e\n\u003cli\u003eCorrelate the identified activity with RBAC configurations to identify potential violations of the principle of least privilege as described in the rule\u0026rsquo;s Triage and Analysis section.\u003c/li\u003e\n\u003cli\u003eBaseline automation by allowlisting known service accounts or source networks that legitimately span multiple resource types in a short window, as described in the rule\u0026rsquo;s False Positive Analysis section.\u003c/li\u003e\n\u003cli\u003eReview and tighten RBAC configurations to minimize the impact of compromised credentials as described in the Response and Remediation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-kubernetes-multi-resource-discovery/","summary":"Adversaries may perform reconnaissance in a Kubernetes environment by rapidly querying multiple resource types to map the environment and identify potential privilege escalation paths.","title":"Kubernetes Multi-Resource Discovery Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-multi-resource-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["discovery","windows","netsh","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where the \u003ccode\u003enetsh.exe\u003c/code\u003e utility is used to query firewall configurations on a Windows system. While \u003ccode\u003enetsh.exe\u003c/code\u003e is a legitimate tool for network configuration, adversaries can leverage it to gather information about firewall rules and settings. This information can then be used to plan further attacks, such as bypassing firewall restrictions or identifying vulnerable network services. This activity is typically seen during the reconnaissance phase of an attack. The scope of this detection covers any Windows environment where Endpoint Detection and Response (EDR) logs are available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific commands to enumerate firewall rules and configurations (e.g., \u003ccode\u003enetsh firewall show state\u003c/code\u003e, \u003ccode\u003enetsh firewall show config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e process retrieves the requested firewall information from the Windows operating system.\u003c/li\u003e\n\u003cli\u003eThe collected firewall information is parsed to identify potential weaknesses or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to modify existing firewall rules or create new rules to allow unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified firewall configuration to establish a covert communication channel or to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized network access, data exfiltration, or the deployment of ransomware. The enumeration of firewall configurations can provide attackers with valuable insights into the network\u0026rsquo;s security posture, enabling them to bypass security controls and compromise critical assets. This can result in significant financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Netsh Firewall Discovery\u003c/code\u003e to your SIEM and tune for your environment to detect netsh.exe executions with firewall discovery commands.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to capture the necessary command-line details.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to query firewall settings, especially when initiated from unusual processes or user accounts.\u003c/li\u003e\n\u003cli\u003eMonitor parent-child process relationships to identify suspicious process spawning, as highlighted by the \u003ccode\u003eProcesses.parent_process_name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview firewall configurations regularly to identify and remediate any misconfigurations or overly permissive rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-netsh-firewall-discovery/","summary":"The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.","title":"Windows Netsh Tool Used for Firewall Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-firewall-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Monitoring Agent","Cohesity Windows Agent"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cohesity"],"content_html":"\u003cp\u003eThe \u003ccode\u003ewhoami\u003c/code\u003e utility is commonly used by attackers post-compromise to gather information about the current user and their privileges on a compromised system. This information helps attackers assess their level of access and plan further actions within the environment, such as privilege escalation or lateral movement. This activity is most concerning when executed by SYSTEM accounts or from unusual parent processes. This detection identifies unusual or suspicious executions of \u003ccode\u003ewhoami.exe\u003c/code\u003e, especially when associated with system privileges or specific parent processes known to be abused by attackers. The rule is designed to function across various Windows environments and considers potential false positives from legitimate administrative tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker may attempt to elevate privileges to a higher level, potentially SYSTEM.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e to determine the current user and their privileges.\u003c/li\u003e\n\u003cli\u003eInformation Gathering: The attacker analyzes the output of \u003ccode\u003ewhoami.exe\u003c/code\u003e to understand the context of the compromised system.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Conditional): Based on the information gathered, the attacker may attempt to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eFurther Exploitation: The attacker leverages the gathered information to further exploit the compromised system or network.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eObjective Completion: The attacker achieves their final objective, such as data exfiltration or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and reconnaissance can allow attackers to gain a deeper understanding of a compromised system. This may lead to further exploitation, lateral movement, and ultimately, the exfiltration of sensitive data or the disruption of critical services. While the \u003ccode\u003ewhoami\u003c/code\u003e command itself is not inherently malicious, its suspicious usage often indicates malicious activity within a compromised environment. The severity is low because the execution of whoami by itself is not enough to confirm malicious activity, and further investigation is needed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect \u003ccode\u003ewhoami.exe\u003c/code\u003e executions (reference: logs-endpoint.events.process-*, logs-system.security*, logs-windows.forwarded*, logs-windows.sysmon_operational-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Whoami Process Activity\u0026rdquo; to your SIEM and tune for your environment (reference: rule).\u003c/li\u003e\n\u003cli\u003eInvestigate parent processes of \u003ccode\u003ewhoami.exe\u003c/code\u003e for any suspicious or unusual activity (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor for other discovery commands executed around the same time as \u003ccode\u003ewhoami.exe\u003c/code\u003e (reference: Related rules).\u003c/li\u003e\n\u003cli\u003eReview and tune the false positives outlined in the rule to minimize noise (reference: false_positives).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-whoami-discovery/","summary":"This rule detects suspicious use of whoami.exe to display user, group, and privileges information for the user who is currently logged on to the local system, potentially indicating post-compromise discovery activity.","title":"Suspicious Whoami Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-whoami-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Microsoft Word","Microsoft Excel","Microsoft PowerPoint","Outlook"],"_cs_severities":["medium"],"_cs_tags":["initial-access","defense-evasion","execution","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Microsoft Office applications (Word, PowerPoint, Excel, Outlook), which are commonly targeted for initial access via malicious documents or macro exploitation. The rule focuses on identifying anomalous process executions originating from these applications, a tactic often employed to execute arbitrary code or download additional payloads. Attackers leverage Office applications due to their widespread use and inherent scripting capabilities. Successful exploitation can lead to arbitrary code execution, lateral movement, and data exfiltration. This detection helps defenders identify and respond to potential security breaches originating from Microsoft Office applications, reducing the attack surface and minimizing potential damage. The rule specifically looks for processes like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, and others being spawned by Office applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious Microsoft Office document (e.g., Word, Excel) via email or downloads it from a compromised website.\u003c/li\u003e\n\u003cli\u003eThe user opens the document, triggering the execution of a malicious macro or exploitation of a vulnerability within the Office application.\u003c/li\u003e\n\u003cli\u003eThe Office application (e.g., \u003ccode\u003ewinword.exe\u003c/code\u003e, \u003ccode\u003eexcel.exe\u003c/code\u003e) spawns a suspicious child process such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes a command to download a malicious payload from a remote server using \u003ccode\u003ebitsadmin.exe\u003c/code\u003e or \u003ccode\u003ecertutil.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is a reverse shell or a malware dropper, which establishes a connection to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the compromised system and attempts to escalate privileges and perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses discovery commands with \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003etasklist.exe\u003c/code\u003e, and \u003ccode\u003ewhoami.exe\u003c/code\u003e to map the environment and identify valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, aiming to compromise critical assets and achieve their objectives, such as data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to gain initial access to the compromised system. This can result in data theft, installation of malware, lateral movement to other systems, and ultimately, significant disruption to business operations. The widespread use of Microsoft Office makes it a prime target, potentially affecting a large number of users and organizations. Failure to detect and respond to these attacks can result in significant financial losses, reputational damage, and compromise of sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging (Sysmon Event ID 1 or Windows Security Event Logs) to ensure the visibility required to detect suspicious child processes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious MS Office Child Process\u003c/code\u003e to your SIEM and tune the rule based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eSuspicious MS Office Child Process\u003c/code\u003e Sigma rule by examining the parent process tree and associated network connections.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized processes from Microsoft Office applications.\u003c/li\u003e\n\u003cli\u003eRegularly update Microsoft Office applications to patch known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains or IPs associated with malware delivery and command and control, based on threat intelligence feeds and IOCs from external sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-office-child-process/","summary":"Detects suspicious child processes of Microsoft Office applications, indicating potential exploitation or malicious macros for initial access, defense evasion, and execution.","title":"Suspicious MS Office Child Process","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-office-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["discovery","windows","privileged-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often perform reconnaissance after compromising a system to plan their next steps. This includes enumerating network resources, users, connections, files, and installed security software. This activity allows attackers to identify high-value targets for lateral movement and credential theft. This detection identifies processes that are unusually enumerating the membership of privileged local groups on Windows systems, such as Administrators or Remote Desktop Users. It is based on Elastic detection rule \u0026ldquo;Enumeration of Privileged Local Groups Membership\u0026rdquo; (rule_id: \u0026ldquo;291a0de9-937a-4189-94c0-3e847c8b13e4\u0026rdquo;). The rule excludes common legitimate utilities to reduce false positives. The presence of such enumeration activity, especially by unknown or untrusted processes, should be investigated immediately to determine the scope and intent of the intrusion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host through an initial access vector like phishing or exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance command or script to gather information about the system.\u003c/li\u003e\n\u003cli\u003eThe command attempts to enumerate the members of privileged local groups, such as Administrators or Remote Desktop Users, using built-in Windows utilities or custom tools.\u003c/li\u003e\n\u003cli\u003eWindows Security Event Logs record the event of user-member enumeration with Event ID 4798 or similar events.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of the enumeration command to identify potential targets for credential theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to move laterally to other systems or escalate privileges on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises additional systems and continues to pursue their objectives, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of privileged local groups allows attackers to identify accounts with elevated privileges on the compromised system. This information is used to target those accounts for credential theft, enabling lateral movement and further compromise of the network. If successful, the attacker gains access to sensitive data, critical systems, or deploys ransomware, causing significant disruption and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Security Group Management to generate the necessary Windows Security Event Logs as described in the Elastic setup guide.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Enumeration of Privileged Local Groups Membership\u0026rdquo; to detect unusual processes enumerating group memberships based on \u003ccode\u003eCallerProcessName\u003c/code\u003e and \u003ccode\u003eTargetSid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing those involving unknown or untrusted processes.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for command-line arguments and tools commonly used for enumeration, such as \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003edsquery\u003c/code\u003e, or PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles to minimize the number of accounts with membership in privileged local groups.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-enumeration-privileged-local-groups/","summary":"An unusual process is enumerating built-in Windows privileged local groups membership, such as Administrators or Remote Desktop users, potentially revealing targets for credential compromise and post-exploitation activities.","title":"Enumeration of Privileged Local Groups Membership","url":"https://feed.craftedsignal.io/briefs/2024-01-enumeration-privileged-local-groups/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["active-directory","discovery","reconnaissance","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eADExplorer is an advanced Active Directory (AD) viewer and editor, it includes the ability to save snapshots of an AD database for offline viewing and comparisons. Adversaries may abuse this utility to perform domain reconnaissance, gather sensitive information about the AD structure, user accounts, and group memberships. The execution of ADExplorer is a potential indicator of malicious activity, especially when observed in environments where its use is not typical or when executed by unauthorized users. This activity can lead to further exploitation, such as privilege escalation and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the ADExplorer utility (ADExplorer.exe) to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes ADExplorer.exe to begin enumeration of the Active Directory environment.\u003c/li\u003e\n\u003cli\u003eADExplorer interacts with the Active Directory domain controllers, querying information about users, groups, computers, and organizational units.\u003c/li\u003e\n\u003cli\u003eThe attacker may use ADExplorer to save snapshots of the AD database for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts, critical assets, and potential vulnerabilities within the AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to plan further attacks, such as lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of ADExplorer by malicious actors can lead to the discovery of sensitive information about the Active Directory environment. This information can be leveraged to facilitate lateral movement, privilege escalation, and data exfiltration. While the initial risk score is low, the reconnaissance activity enables follow-on attacks that can have severe consequences, potentially leading to full domain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Process Name\u003c/code\u003e to detect the execution of ADExplorer based on process name.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Original File Name\u003c/code\u003e to detect the execution of ADExplorer based on the process\u0026rsquo;s original file name.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on Windows endpoints for the execution of ADExplorer.exe or processes with an original file name of \u0026ldquo;AdExp\u0026rdquo; to detect potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any execution of ADExplorer by non-administrator accounts.\u003c/li\u003e\n\u003cli\u003eReview ADExplorer use and restrict its usage to authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-adexplorer-execution/","summary":"Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.","title":"Active Directory Discovery via ADExplorer Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-adexplorer-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","fsutil"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may leverage native operating system tools like \u003ccode\u003efsutil.exe\u003c/code\u003e to perform reconnaissance activities within a compromised environment. The \u003ccode\u003efsutil fsinfo drives\u003c/code\u003e command provides information about connected drives, including removable media, mapped network drives, and backup locations. Discovery of these devices can help adversaries identify valuable data stores for exfiltration or encryption as part of a broader attack campaign. This command can be run interactively or via automated scripts, making it a versatile tool for post-exploitation activities. Defenders should monitor for unusual execution of \u003ccode\u003efsutil\u003c/code\u003e with the \u003ccode\u003efsinfo drives\u003c/code\u003e arguments, particularly when executed by non-administrative users or from unusual locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003efsutil.exe\u003c/code\u003e via command line or script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efsutil\u003c/code\u003e command uses the \u003ccode\u003efsinfo\u003c/code\u003e subcommand.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efsinfo\u003c/code\u003e subcommand uses the \u003ccode\u003edrives\u003c/code\u003e argument to list connected drives.\u003c/li\u003e\n\u003cli\u003eThe system returns a list of attached drives and their types (e.g., local, network, removable).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the output to identify potentially valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to access identified drives.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware on the identified drives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful discovery of peripheral devices can lead to the identification of backup locations, mapped network drives, and removable media containing sensitive information. This information enables attackers to expand their reach within the compromised environment and increase the potential for data theft, encryption, or destruction. The low severity reflects the fact that this activity on its own is simply reconnaissance; the actual damage comes from subsequent actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious execution of \u003ccode\u003efsutil.exe\u003c/code\u003e (see below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture \u003ccode\u003efsutil\u003c/code\u003e executions (see setup instructions in the Overview).\u003c/li\u003e\n\u003cli\u003eInvestigate any process executions of \u003ccode\u003efsutil.exe\u003c/code\u003e where the parent process is unexpected or the user context is unusual (see Triage and Analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-peripheral-device-discovery/","summary":"Adversaries may use the Windows file system utility, fsutil.exe, with the fsinfo drives command to enumerate attached peripheral devices and gain information about a compromised system.","title":"Windows Peripheral Device Discovery via fsutil","url":"https://feed.craftedsignal.io/briefs/2024-01-02-peripheral-device-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["low"],"_cs_tags":["active_directory","ldap","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule identifies read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information. The rule focuses on event code 4662, filtering for \u0026lsquo;Read Property\u0026rsquo; access where the number of properties accessed is greater than or equal to 2000. The rule is designed to detect potential reconnaissance activities within an Active Directory environment, providing security teams with insights into unusual access patterns that may indicate malicious intent. This detection logic helps security teams proactively identify and respond to potential threats targeting Active Directory environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the target network, possibly through compromised credentials or a phishing attack (not directly covered in the provided source).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to query Active Directory via LDAP.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a series of LDAP queries, requesting a large number of attributes for various Active Directory objects, triggering event ID 4662.\u003c/li\u003e\n\u003cli\u003eThe event logs record the excessive number of read property accesses (winlog.event_data.Properties), exceeding the threshold of 2000.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify potential targets, such as privileged accounts, sensitive data stores, or vulnerable systems.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to elevate privileges by exploiting identified vulnerabilities or misconfigurations within Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to access sensitive information or move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gather sensitive information about the Active Directory environment, identify potential vulnerabilities, elevate privileges, and move laterally within the network. This can lead to data breaches, system compromise, and significant disruption to business operations. The number of victims and sectors targeted are dependent on the scope and objectives of the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Directory Service Access to generate the necessary events (event code 4662) as mentioned in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Access to LDAP Attributes\u0026rdquo; to your SIEM and tune the threshold (length(winlog.event_data.Properties) \u0026gt;= 2000) for your environment.\u003c/li\u003e\n\u003cli\u003eReview event logs for event code 4662, focusing on the \u003ccode\u003ewinlog.event_data.Properties\u003c/code\u003e field, to understand which attributes were accessed.\u003c/li\u003e\n\u003cli\u003eInvestigate the source machine from which the LDAP queries originated by examining the \u003ccode\u003ewinlog.event_data.SubjectUserSid\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-ldap-attributes/","summary":"The rule detects suspicious access to LDAP attributes in Active Directory by identifying read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information.","title":"Suspicious Access to LDAP Attributes","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-ldap-attributes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["kubernetes"],"_cs_severities":["high"],"_cs_tags":["kubernetes","credential-access","discovery","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies Kubernetes Secrets listing events originating from non-loopback clients. Attackers may attempt to enumerate Kubernetes Secrets to gain access to sensitive information such as credentials, API keys, and other confidential data stored within the cluster. The rule specifically focuses on requests targeting cluster-wide secrets or list operations under the \u003ccode\u003ekube-system\u003c/code\u003e or \u003ccode\u003edefault\u003c/code\u003e namespaces, which are often targeted due to their high concentration of sensitive information. This activity is indicative of potential credential access or discovery attempts within the Kubernetes environment. This rule helps defenders identify and respond to potential reconnaissance or lateral movement activities within their Kubernetes clusters.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a node within the Kubernetes cluster or a system with access to the Kubernetes API.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Kubernetes API server using compromised credentials or by exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003elist\u003c/code\u003e request targeting the \u003ccode\u003e/api/v1/secrets\u003c/code\u003e endpoint to enumerate all secrets in the cluster.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker targets secrets within the \u003ccode\u003ekube-system\u003c/code\u003e namespace using \u003ccode\u003e/api/v1/namespaces/kube-system/secrets\u003c/code\u003e or \u003ccode\u003edefault\u003c/code\u003e namespace using \u003ccode\u003e/api/v1/namespaces/default/secrets\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe API server responds with a list of secrets, potentially including sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the retrieved secrets to identify valuable credentials or configuration data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired credentials to escalate privileges, move laterally within the cluster, or access external resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of Kubernetes secrets can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, service disruptions, and significant financial losses. The targeting of \u003ccode\u003ekube-system\u003c/code\u003e and \u003ccode\u003edefault\u003c/code\u003e namespaces poses a particularly high risk due to the presence of core system components and sensitive configurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes Secrets List in Sensitive Namespaces\u003c/code\u003e to your SIEM to detect suspicious secret enumeration activities based on \u003ccode\u003ekubernetes.audit.requestURI\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs (\u003ccode\u003elogs-kubernetes.audit_logs-*\u003c/code\u003e) for \u003ccode\u003elist\u003c/code\u003e operations on the \u003ccode\u003esecrets\u003c/code\u003e resource, specifically targeting \u003ccode\u003e/api/v1/secrets\u003c/code\u003e and sensitive namespaces.\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict access to the Kubernetes API server from untrusted networks.\u003c/li\u003e\n\u003cli\u003eReview and harden the security configuration of the \u003ccode\u003ekube-system\u003c/code\u003e and \u003ccode\u003edefault\u003c/code\u003e namespaces.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege for service accounts and user access to minimize the impact of credential compromise.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and correlate with other security events to identify potential attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kubernetes-secrets-enumeration/","summary":"Detection of Kubernetes Secrets listing from non-loopback clients targeting cluster-wide secrets or sensitive namespaces, potentially indicating unauthorized credential access or discovery.","title":"Kubernetes Secrets Enumeration from Non-Loopback Client","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-secrets-enumeration/"}],"language":"en","title":"CraftedSignal Threat Feed — Discovery","version":"https://jsonfeed.org/version/1.1"}