<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Endpoint-Detection - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/endpoint-detection/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 15:14:07 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/endpoint-detection/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Linux C2 Activity: Network Connection Followed by File Creation</title><link>https://feed.craftedsignal.io/briefs/2026-07-suspicious-linux-c2-activity/</link><pubDate>Fri, 03 Jul 2026 15:14:07 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-suspicious-linux-c2-activity/</guid><description>This brief identifies suspicious Command and Control (C2) activity on Linux systems where a C2 agent, such as Poseidon or Athena, connects outbound from a sensitive temporary directory and subsequently creates a file in a similar location, indicative of receiving and executing commands from a C2 framework like Mythic.</description><content:encoded><![CDATA[<p>This threat brief describes a pattern of suspicious activity on Linux systems consistent with the operation of Command and Control (C2) agents like Poseidon or Athena. These agents often operate from non-standard, writable directories such as <code>/tmp</code>, <code>/dev/shm</code>, or <code>/var/log</code> to evade detection. The observed behavior involves such a process first initiating an outbound network connection, typically polling a C2 framework like Mythic for commands or new payloads. This network communication is then rapidly followed by the creation of a new file by the same process, usually in another suspicious location on the system. This file creation event often indicates the agent receiving and staging further instructions or malicious components. Defenders should recognize this two-stage sequence as a strong indicator of post-compromise activity, potentially leading to data exfiltration, lateral movement, or further system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>C2 Agent Deployment</strong>: An attacker successfully deploys a C2 agent (e.g., Poseidon, Athena) to a non-standard, writable location on a Linux host, such as <code>/tmp</code>, <code>/dev/shm</code>, <code>/var/tmp</code>, <code>/var/log</code>, <code>/var/run/user</code>, or <code>/run/user</code>.</li>
<li><strong>Outbound C2 Connection</strong>: The deployed C2 agent initiates an outbound network connection (e.g., HTTP/S web requests) to its C2 server, potentially part of a C2 framework like Mythic, to poll for new commands or payloads.</li>
<li><strong>Command Reception</strong>: The C2 server responds to the agent's poll, sending commands, scripts, or additional malicious binaries back to the compromised host.</li>
<li><strong>Local File Creation</strong>: The C2 agent creates a new file on the local filesystem, often in a similar suspicious writable directory, to store the received commands, scripts, or payloads.</li>
<li><strong>Command Execution</strong>: The C2 agent proceeds to execute the newly created file or the commands received, leading to further actions on objectives such as data collection, privilege escalation, or lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of such C2 agent activity can lead to a range of severe consequences. Attackers can maintain persistent access to the compromised Linux system, exfiltrate sensitive data, install additional malware, establish backdoors, or use the system as a launchpad for lateral movement within the network. Since this behavior is characteristic of established C2 frameworks, victims could face significant financial losses, reputational damage, and regulatory penalties depending on the type and sensitivity of compromised data. The lack of specifics in this detection means the full scope of impact can only be assessed upon incident response.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious network connections and file creations from writable directories.</li>
<li>Ensure comprehensive <code>network_connection</code> and <code>file_event</code> logging is enabled on all Linux endpoints to capture the necessary telemetry for these detections.</li>
<li>Implement correlation rules in your SIEM to link network connections from suspicious processes with subsequent file creations by the same process within a short timeframe, mimicking the original EQL rule's logic.</li>
<li>Regularly review processes executing from temporary or shared memory directories (<code>/tmp</code>, <code>/dev/shm</code>, <code>/var/tmp</code>) for anomalous network activity or file system modifications, as detected by the rules above.</li>
<li>Investigate all alerts generated by the <code>Suspicious Process Network Connection from Writable Path on Linux</code> rule, especially those involving connections to external or unusual IP addresses.</li>
<li>Analyze processes identified by the <code>Suspicious File Creation by Process in Writable Path on Linux</code> rule, focusing on the content of the created files and the parent process responsible.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>command-and-control</category><category>execution</category><category>linux</category><category>endpoint-detection</category></item><item><title>Windows Credential Access from Browser Password Store Detection</title><link>https://feed.craftedsignal.io/briefs/2026-07-browser-credential-access/</link><pubDate>Fri, 03 Jul 2026 13:11:48 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-browser-credential-access/</guid><description>This brief describes a detection for suspicious activity on Windows systems where an uncommon or unauthorized process attempts to access browser user data profiles, a common behavior observed in Trojan Stealers like SnakeKeylogger to harvest sensitive browser information and credentials for exfiltration.</description><content:encoded><![CDATA[<p>Threat actors, often employing various Trojan Stealers such as SnakeKeylogger (mentioned in the source), frequently target web browser password stores and user profiles to extract sensitive information and credentials. This activity is a critical step in their data exfiltration strategy, enabling further compromise, financial fraud, or identity theft. The detection focuses on identifying processes that unexpectedly access browser user data directories on Windows systems. It specifically looks for instances where a process other than the legitimate browser application (e.g., <code>chrome.exe</code> accessing Chrome's user data) attempts to read or modify these sensitive files, indicating potential malicious activity. The methodology involves monitoring Windows Security Event Log 4663 for object access attempts and comparing the accessing process against a predefined list of allowed browser applications.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: The attacker gains initial access to the victim's system, commonly through phishing emails containing malicious attachments or links, or compromised websites leading to drive-by downloads.</li>
<li><strong>Execution</strong>: The malicious payload, such as SnakeKeylogger, is executed on the victim's machine, often disguised as a legitimate application or document.</li>
<li><strong>Discovery</strong>: The malware identifies the presence of installed web browsers and their respective user data directories, which store credentials, cookies, and other sensitive information.</li>
<li><strong>Credential Access</strong>: The stealer malware initiates access to specific browser user data profiles and password stores (e.g., <code>Login Data</code> or <code>key4.db</code> files), attempting to read or decrypt stored credentials. This step often involves a non-browser process accessing these files.</li>
<li><strong>Collection</strong>: Once accessed, the malware collects the harvested credentials, autofill data, cookies, and other valuable information from the browser's database files.</li>
<li><strong>Exfiltration</strong>: The collected sensitive data is then encrypted and exfiltrated to the attacker's command and control (C2) server over various channels, typically HTTP/HTTPS.</li>
<li><strong>Impact</strong>: The exfiltrated credentials are used for unauthorized access to online accounts, financial fraud, further network compromise, or sale on underground forums.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation results in significant data compromise, including user credentials, financial information, and personal data stored within web browsers. This can lead to unauthorized access to corporate and personal accounts, financial fraud, and identity theft. While the source does not provide specific victim counts, stealer malware campaigns are widespread and impact individuals and organizations across all sectors globally. The exfiltration of credentials can serve as a stepping stone for further lateral movement within an organization's network, escalating the initial compromise to a full-scale breach.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect suspicious browser credential access attempts by unauthorized processes.</li>
<li>Enable Windows Security Event Log 4663 by configuring &quot;Audit Object Access&quot; for both &quot;Success&quot; and &quot;Failure&quot; events in Group Policy.</li>
<li>Tune the <code>browser_app_list</code> lookup (or equivalent whitelist) within your detection system to accurately reflect legitimate browser applications and their expected access paths, reducing false positives.</li>
<li>Implement strong phishing awareness training for all users to reduce the likelihood of initial access by stealer malware.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>stealer</category><category>windows</category><category>endpoint-detection</category></item></channel></rss>