{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/endpoint-detection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","linux","endpoint-detection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief describes a pattern of suspicious activity on Linux systems consistent with the operation of Command and Control (C2) agents like Poseidon or Athena. These agents often operate from non-standard, writable directories such as \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/dev/shm\u003c/code\u003e, or \u003ccode\u003e/var/log\u003c/code\u003e to evade detection. The observed behavior involves such a process first initiating an outbound network connection, typically polling a C2 framework like Mythic for commands or new payloads. This network communication is then rapidly followed by the creation of a new file by the same process, usually in another suspicious location on the system. This file creation event often indicates the agent receiving and staging further instructions or malicious components. Defenders should recognize this two-stage sequence as a strong indicator of post-compromise activity, potentially leading to data exfiltration, lateral movement, or further system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eC2 Agent Deployment\u003c/strong\u003e: An attacker successfully deploys a C2 agent (e.g., Poseidon, Athena) to a non-standard, writable location on a Linux host, such as \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/dev/shm\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e, \u003ccode\u003e/var/log\u003c/code\u003e, \u003ccode\u003e/var/run/user\u003c/code\u003e, or \u003ccode\u003e/run/user\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOutbound C2 Connection\u003c/strong\u003e: The deployed C2 agent initiates an outbound network connection (e.g., HTTP/S web requests) to its C2 server, potentially part of a C2 framework like Mythic, to poll for new commands or payloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Reception\u003c/strong\u003e: The C2 server responds to the agent's poll, sending commands, scripts, or additional malicious binaries back to the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLocal File Creation\u003c/strong\u003e: The C2 agent creates a new file on the local filesystem, often in a similar suspicious writable directory, to store the received commands, scripts, or payloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution\u003c/strong\u003e: The C2 agent proceeds to execute the newly created file or the commands received, leading to further actions on objectives such as data collection, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of such C2 agent activity can lead to a range of severe consequences. Attackers can maintain persistent access to the compromised Linux system, exfiltrate sensitive data, install additional malware, establish backdoors, or use the system as a launchpad for lateral movement within the network. Since this behavior is characteristic of established C2 frameworks, victims could face significant financial losses, reputational damage, and regulatory penalties depending on the type and sensitivity of compromised data. The lack of specifics in this detection means the full scope of impact can only be assessed upon incident response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious network connections and file creations from writable directories.\u003c/li\u003e\n\u003cli\u003eEnsure comprehensive \u003ccode\u003enetwork_connection\u003c/code\u003e and \u003ccode\u003efile_event\u003c/code\u003e logging is enabled on all Linux endpoints to capture the necessary telemetry for these detections.\u003c/li\u003e\n\u003cli\u003eImplement correlation rules in your SIEM to link network connections from suspicious processes with subsequent file creations by the same process within a short timeframe, mimicking the original EQL rule's logic.\u003c/li\u003e\n\u003cli\u003eRegularly review processes executing from temporary or shared memory directories (\u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/dev/shm\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e) for anomalous network activity or file system modifications, as detected by the rules above.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the \u003ccode\u003eSuspicious Process Network Connection from Writable Path on Linux\u003c/code\u003e rule, especially those involving connections to external or unusual IP addresses.\u003c/li\u003e\n\u003cli\u003eAnalyze processes identified by the \u003ccode\u003eSuspicious File Creation by Process in Writable Path on Linux\u003c/code\u003e rule, focusing on the content of the created files and the parent process responsible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:14:07Z","date_published":"2026-07-03T15:14:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-suspicious-linux-c2-activity/","summary":"This brief identifies suspicious Command and Control (C2) activity on Linux systems where a C2 agent, such as Poseidon or Athena, connects outbound from a sensitive temporary directory and subsequently creates a file in a similar location, indicative of receiving and executing commands from a C2 framework like Mythic.","title":"Suspicious Linux C2 Activity: Network Connection Followed by File Creation","url":"https://feed.craftedsignal.io/briefs/2026-07-suspicious-linux-c2-activity/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-access","stealer","windows","endpoint-detection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThreat actors, often employing various Trojan Stealers such as SnakeKeylogger (mentioned in the source), frequently target web browser password stores and user profiles to extract sensitive information and credentials. This activity is a critical step in their data exfiltration strategy, enabling further compromise, financial fraud, or identity theft. The detection focuses on identifying processes that unexpectedly access browser user data directories on Windows systems. It specifically looks for instances where a process other than the legitimate browser application (e.g., \u003ccode\u003echrome.exe\u003c/code\u003e accessing Chrome's user data) attempts to read or modify these sensitive files, indicating potential malicious activity. The methodology involves monitoring Windows Security Event Log 4663 for object access attempts and comparing the accessing process against a predefined list of allowed browser applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: The attacker gains initial access to the victim's system, commonly through phishing emails containing malicious attachments or links, or compromised websites leading to drive-by downloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution\u003c/strong\u003e: The malicious payload, such as SnakeKeylogger, is executed on the victim's machine, often disguised as a legitimate application or document.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery\u003c/strong\u003e: The malware identifies the presence of installed web browsers and their respective user data directories, which store credentials, cookies, and other sensitive information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access\u003c/strong\u003e: The stealer malware initiates access to specific browser user data profiles and password stores (e.g., \u003ccode\u003eLogin Data\u003c/code\u003e or \u003ccode\u003ekey4.db\u003c/code\u003e files), attempting to read or decrypt stored credentials. This step often involves a non-browser process accessing these files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCollection\u003c/strong\u003e: Once accessed, the malware collects the harvested credentials, autofill data, cookies, and other valuable information from the browser's database files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration\u003c/strong\u003e: The collected sensitive data is then encrypted and exfiltrated to the attacker's command and control (C2) server over various channels, typically HTTP/HTTPS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The exfiltrated credentials are used for unauthorized access to online accounts, financial fraud, further network compromise, or sale on underground forums.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in significant data compromise, including user credentials, financial information, and personal data stored within web browsers. This can lead to unauthorized access to corporate and personal accounts, financial fraud, and identity theft. While the source does not provide specific victim counts, stealer malware campaigns are widespread and impact individuals and organizations across all sectors globally. The exfiltration of credentials can serve as a stepping stone for further lateral movement within an organization's network, escalating the initial compromise to a full-scale breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious browser credential access attempts by unauthorized processes.\u003c/li\u003e\n\u003cli\u003eEnable Windows Security Event Log 4663 by configuring \u0026quot;Audit Object Access\u0026quot; for both \u0026quot;Success\u0026quot; and \u0026quot;Failure\u0026quot; events in Group Policy.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003ebrowser_app_list\u003c/code\u003e lookup (or equivalent whitelist) within your detection system to accurately reflect legitimate browser applications and their expected access paths, reducing false positives.\u003c/li\u003e\n\u003cli\u003eImplement strong phishing awareness training for all users to reduce the likelihood of initial access by stealer malware.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:11:48Z","date_published":"2026-07-03T13:11:48Z","id":"https://feed.craftedsignal.io/briefs/2026-07-browser-credential-access/","summary":"This brief describes a detection for suspicious activity on Windows systems where an uncommon or unauthorized process attempts to access browser user data profiles, a common behavior observed in Trojan Stealers like SnakeKeylogger to harvest sensitive browser information and credentials for exfiltration.","title":"Windows Credential Access from Browser Password Store Detection","url":"https://feed.craftedsignal.io/briefs/2026-07-browser-credential-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Endpoint-Detection","version":"https://jsonfeed.org/version/1.1"}