{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/endpoint/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["threat-detection","edr","endpoint"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies hosts triggering multiple alerts from external Endpoint Detection and Response (EDR) solutions, indicating a potential compromise. It aggregates alert data from sources such as CrowdStrike, SentinelOne, and Microsoft 365 Defender to identify hosts exhibiting a high volume or diversity of security alerts. The rule aims to detect coordinated attacks across multiple hosts, warranting prioritized investigation and response. It prioritizes hosts that trigger a specific threshold of unique alert rules, different alert severities, or have repetitive patterns involving file paths, command lines, or processes. This approach allows security analysts to focus on systems with a higher likelihood of compromise, reducing the time to detect and respond to potential threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a host through various means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Deployment:\u003c/strong\u003e The attacker deploys malware onto the compromised host. This could be achieved through techniques like phishing or exploiting software vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The malware executes on the host, initiating malicious activities. This may involve running malicious scripts or binaries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The malware establishes persistence on the host to maintain access even after a reboot. This can be achieved by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker attempts to move laterally to other hosts on the network. This can involve using techniques like pass-the-hash or exploiting network vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The malware establishes communication with a command and control (C2) server to receive instructions and exfiltrate data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges to gain higher-level access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, such as stealing sensitive data or disrupting system operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack resulting in multiple EDR alerts can lead to significant disruption and data loss. Depending on the attacker\u0026rsquo;s objectives, this could include the exfiltration of sensitive data, ransomware deployment, or system downtime. The compromise of multiple hosts can indicate a widespread and coordinated attack, potentially affecting a large number of users and systems. Organizations may experience financial losses due to incident response costs, legal liabilities, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMultiple External EDR Alerts by Host\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable logging for CrowdStrike, SentinelOne, and M365 Defender to ensure the Sigma rule can ingest the appropriate logs, as outlined in the rule\u0026rsquo;s query.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of hosts identified by the rule with high alert counts or diverse alert severities to minimize potential damage.\u003c/li\u003e\n\u003cli\u003eReview and exclude known benign activities from triggering the rule, as detailed in the false positive analysis section of the rule documentation.\u003c/li\u003e\n\u003cli\u003eCorrelate alert data with other logs (process creation, network connections, file modifications) to provide better context for detected hosts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains/IP addresses if they are found to be related to the alerts from the affected hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T16:27:52Z","date_published":"2026-04-10T16:27:52Z","id":"/briefs/2024-01-multiple-edr-alerts/","summary":"This rule detects multiple external EDR alerts on the same host, indicating a potential compromise, by analyzing alert data from various EDR solutions like CrowdStrike, SentinelOne, and M365 Defender to identify hosts triggering multiple alerts, enabling prioritization of investigation and response.","title":"Multiple External EDR Alerts by Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-edr-alerts/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Network Visibility Module"],"_cs_severities":["high"],"_cs_tags":["endpoint","msiexec","remote-download","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Splunk"],"content_html":"\u003cp\u003eThe detection focuses on identifying instances where \u003ccode\u003emsiexec.exe\u003c/code\u003e is used with an HTTP or HTTPS URL in the command line. This behavior is indicative of an attempt to download and execute potentially malicious software from a remote server. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. The activity is often used to bypass traditional security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003emsiexec.exe\u003c/code\u003e, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.\u003c/li\u003e\n\u003cli\u003eThe command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e downloads the MSI package to the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe MSI package is executed, potentially installing malware, creating new files, or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe installed malware establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware initiates command and control (C2) communication to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of \u003ccode\u003emsiexec.exe\u003c/code\u003e for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from \u003ccode\u003emsiexec.exe\u003c/code\u003e to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003emsiexec.exe\u003c/code\u003e executing with command-line arguments containing HTTP or HTTPS URLs.\u003c/li\u003e\n\u003cli\u003eFilter false positives by destination or parent process as needed based on your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-msiexec-remote-download/","summary":"The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.","title":"Suspicious MSIExec Remote Download","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msiexec-remote-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data-exfiltration","machine-learning","endpoint"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief addresses a machine learning detection identifying anomalous data transfer volumes to external devices. The Elastic Data Exfiltration Detection integration includes a prebuilt machine learning job, \u003ccode\u003eded_high_bytes_written_to_external_device_ea\u003c/code\u003e, designed to detect spikes in data written to external devices. This behavior is considered anomalous because typical operational settings usually exhibit predictable patterns or ranges of data transfer to external storage. The detection is triggered when the amount of data written significantly deviates from the established baseline, potentially signaling unauthorized data copying or exfiltration attempts. This detection focuses on identifying abnormalities, providing an alert for investigation of possible illicit data transfer activities. The integration requires the Elastic Defend integration to collect file events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their access to locate and stage sensitive data for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker connects an external storage device, such as a USB drive, to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a large data transfer operation, copying the staged data to the external device.\u003c/li\u003e\n\u003cli\u003eElastic Defend monitors file events and detects a significant increase in bytes written to the external device.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eded_high_bytes_written_to_external_device_ea\u003c/code\u003e machine learning job identifies the unusual data transfer volume.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered based on the anomaly threshold defined in the Data Exfiltration Detection rule.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the external device, completing the exfiltration of the sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of data to external devices can lead to significant data breaches. The impact varies depending on the sensitivity and volume of the data stolen. This activity can result in financial losses, reputational damage, legal repercussions, and compromise of intellectual property. While the specific number of affected organizations is unknown, any organization that allows the use of external storage devices is potentially vulnerable. This issue poses a risk across various sectors, particularly those handling sensitive data, such as finance, healthcare, and technology.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Data Exfiltration Detection integration and configure the preconfigured anomaly detection jobs as described in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e (currently set to 75) based on your environment\u0026rsquo;s baseline data transfer patterns to reduce false positives.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices as mentioned in the \u0026ldquo;Response and remediation\u0026rdquo; section of the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCreate exceptions for known backup operations, software updates, and data archiving processes that may trigger false positives, referencing the \u0026ldquo;False positive analysis\u0026rdquo; section of the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring on similar devices and network segments to detect any further anomalous data transfer activities, based on the rule\u0026rsquo;s description and \u0026ldquo;Response and remediation\u0026rdquo; section of the \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-exfiltration-ml-high-bytes/","summary":"A machine learning job has detected high bytes of data written to an external device, potentially indicating illicit data copying or transfer activities leading to data exfiltration over a physical medium such as USB.","title":"Machine Learning Detects High Bytes Written to External Device","url":"https://feed.craftedsignal.io/briefs/2024-01-exfiltration-ml-high-bytes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["endpoint","windows","defense evasion","machine learning","lolbins"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA machine learning (ML) rule has identified unusual process execution on a Windows endpoint. This detection leverages two ML models from the Elastic ProblemChild integration: a supervised model that predicts malicious processes and an unsupervised model that identifies processes anomalous to the user\u0026rsquo;s typical behavior. The rule focuses on detecting defense evasion tactics, specifically the potential use of Living-off-the-Land Binaries (LOLbins) or masquerading techniques, which can be difficult to detect with traditional signature-based methods. This detection uses data from the Elastic Endpoint or Winlogbeat and requires the Living off the Land (LotL) Attack Detection integration assets to be installed. This rule was last updated April 1, 2026 and requires Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through an existing user account.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a standard Windows process (e.g., cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker leverages LOLbins to perform malicious actions, blending in with legitimate system activity.\u003c/li\u003e\n\u003cli\u003eMasquerading: The attacker renames or moves malicious tools to mimic legitimate system files.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker attempts to escalate privileges using the compromised process.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker uses the compromised process to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eCommand and Control (Optional): The process establishes a connection to a command and control server for further instructions.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data exfiltration, system compromise, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using these techniques can lead to a full system compromise, data theft, or the installation of persistent backdoors. The use of LOLbins makes detection difficult, potentially allowing attackers to operate undetected for extended periods. The impact is amplified by the potential for lateral movement to other systems within the network. While the severity is rated \u0026ldquo;low\u0026rdquo;, successful exploitation allows attackers to move laterally and establish persistence in the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as detailed in the rule setup (Elastic Defend or Winlogbeat).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Unusual Process Spawned by a User\u0026rdquo; rule (rule_id: 40155ee4-1e6a-4e4d-a63b-e8ba16980cfb) to determine the legitimacy of the flagged process.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (anomaly_threshold: 75) based on your environment to reduce false positives, as mentioned in the rule parameters.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False positive analysis\u0026rdquo; section in the rule\u0026rsquo;s note for guidance on identifying and excluding legitimate processes.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unusual command line arguments associated with LOLBins.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-rare-process-user/","summary":"A machine learning job detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be unusual within the user's context, potentially indicating defense evasion techniques like masquerading or the use of LOLbins.","title":"Unusual Process Spawned by a User Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-process-user/"}],"language":"en","title":"CraftedSignal Threat Feed — Endpoint","version":"https://jsonfeed.org/version/1.1"}