https://feed.craftedsignal.io/tags/endpoint/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 10 Apr 2026 16:27:52 +0000https://feed.craftedsignal.io/briefs/2024-01-multiple-edr-alerts/Fri, 10 Apr 2026 16:27:52 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-multiple-edr-alerts/This rule detects multiple external EDR alerts on the same host, indicating a potential compromise, by analyzing alert data from various EDR solutions like CrowdStrike, SentinelOne, and M365 Defender to identify hosts triggering multiple alerts, enabling prioritization of investigation and response.This detection rule identifies hosts triggering multiple alerts from external Endpoint Detection and Response (EDR) solutions, indicating a potential compromise. It aggregates alert data from sources such as CrowdStrike, SentinelOne, and Microsoft 365 Defender to identify hosts exhibiting a high volume or diversity of security alerts. The rule aims to detect coordinated attacks across multiple hosts, warranting prioritized investigation and response. It prioritizes hosts that trigger a specific threshold of unique alert rules, different alert severities, or have repetitive patterns involving file paths, command lines, or processes. This approach allows security analysts to focus on systems with a higher likelihood of compromise, reducing the time to detect and respond to potential threats.

Attack Chain

1. Initial Access: An attacker gains initial access to a host through various means, such as exploiting a vulnerability or using stolen credentials.
2. Malware Deployment: The attacker deploys malware onto the compromised host. This could be achieved through techniques like phishing or exploiting software vulnerabilities.
3. Execution: The malware executes on the host, initiating malicious activities. This may involve running malicious scripts or binaries.
4. Persistence: The malware establishes persistence on the host to maintain access even after a reboot. This can be achieved by creating scheduled tasks or modifying registry keys.
5. Lateral Movement: The attacker attempts to move laterally to other hosts on the network. This can involve using techniques like pass-the-hash or exploiting network vulnerabilities.
6. Command and Control: The malware establishes communication with a command and control (C2) server to receive instructions and exfiltrate data.
7. Privilege Escalation: The attacker attempts to escalate privileges to gain higher-level access to the system.
8. Impact: The attacker achieves their objective, such as stealing sensitive data or disrupting system operations.

Impact

A successful attack resulting in multiple EDR alerts can lead to significant disruption and data loss. Depending on the attacker’s objectives, this could include the exfiltration of sensitive data, ransomware deployment, or system downtime. The compromise of multiple hosts can indicate a widespread and coordinated attack, potentially affecting a large number of users and systems. Organizations may experience financial losses due to incident response costs, legal liabilities, and reputational damage.

Recommendation

• Deploy the Sigma rule Multiple External EDR Alerts by Host to your SIEM and tune for your environment.
• Enable logging for CrowdStrike, SentinelOne, and M365 Defender to ensure the Sigma rule can ingest the appropriate logs, as outlined in the rule’s query.
• Prioritize investigation of hosts identified by the rule with high alert counts or diverse alert severities to minimize potential damage.
• Review and exclude known benign activities from triggering the rule, as detailed in the false positive analysis section of the rule documentation.
• Correlate alert data with other logs (process creation, network connections, file modifications) to provide better context for detected hosts.
• Block the C2 domains/IP addresses if they are found to be related to the alerts from the affected hosts.

]]>highadvisorythreat-detectionedrendpointhttps://feed.craftedsignal.io/briefs/2024-01-03-msiexec-remote-download/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-msiexec-remote-download/The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.The detection focuses on identifying instances where msiexec.exe is used with an HTTP or HTTPS URL in the command line. This behavior is indicative of an attempt to download and execute potentially malicious software from a remote server. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. The activity is often used to bypass traditional security controls.

Attack Chain

1. An attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.
2. The attacker leverages msiexec.exe, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.
3. The command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.
4. msiexec.exe downloads the MSI package to the victim’s machine.
5. The MSI package is executed, potentially installing malware, creating new files, or modifying system settings.
6. The installed malware establishes persistence through registry keys or scheduled tasks.
7. The malware initiates command and control (C2) communication to receive further instructions.
8. The attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.

Impact

Successful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of msiexec.exe for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.

Recommendation

• Enable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
• Monitor network traffic for connections originating from msiexec.exe to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).
• Investigate any instances of msiexec.exe executing with command-line arguments containing HTTP or HTTPS URLs.
• Filter false positives by destination or parent process as needed based on your environment.

]]>highadvisoryendpointmsiexecremote-downloadwindowshttps://feed.craftedsignal.io/briefs/2024-01-exfiltration-ml-high-bytes/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-exfiltration-ml-high-bytes/A machine learning job has detected high bytes of data written to an external device, potentially indicating illicit data copying or transfer activities leading to data exfiltration over a physical medium such as USB.This brief addresses a machine learning detection identifying anomalous data transfer volumes to external devices. The Elastic Data Exfiltration Detection integration includes a prebuilt machine learning job, ded_high_bytes_written_to_external_device_ea, designed to detect spikes in data written to external devices. This behavior is considered anomalous because typical operational settings usually exhibit predictable patterns or ranges of data transfer to external storage. The detection is triggered when the amount of data written significantly deviates from the established baseline, potentially signaling unauthorized data copying or exfiltration attempts. This detection focuses on identifying abnormalities, providing an alert for investigation of possible illicit data transfer activities. The integration requires the Elastic Defend integration to collect file events.

Attack Chain

1. An attacker gains initial access to a system via compromised credentials or exploiting a vulnerability.
2. The attacker uses their access to locate and stage sensitive data for exfiltration.
3. The attacker connects an external storage device, such as a USB drive, to the compromised system.
4. The attacker initiates a large data transfer operation, copying the staged data to the external device.
5. Elastic Defend monitors file events and detects a significant increase in bytes written to the external device.
6. The ded_high_bytes_written_to_external_device_ea machine learning job identifies the unusual data transfer volume.
7. An alert is triggered based on the anomaly threshold defined in the Data Exfiltration Detection rule.
8. The attacker removes the external device, completing the exfiltration of the sensitive data.

Impact

Successful exfiltration of data to external devices can lead to significant data breaches. The impact varies depending on the sensitivity and volume of the data stolen. This activity can result in financial losses, reputational damage, legal repercussions, and compromise of intellectual property. While the specific number of affected organizations is unknown, any organization that allows the use of external storage devices is potentially vulnerable. This issue poses a risk across various sectors, particularly those handling sensitive data, such as finance, healthcare, and technology.

Recommendation

• Install the Data Exfiltration Detection integration and configure the preconfigured anomaly detection jobs as described in the rule’s setup instructions.
• Review and tune the anomaly_threshold (currently set to 75) based on your environment’s baseline data transfer patterns to reduce false positives.
• Deploy endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices as mentioned in the “Response and remediation” section of the rule’s note.
• Create exceptions for known backup operations, software updates, and data archiving processes that may trigger false positives, referencing the “False positive analysis” section of the rule’s note.
• Implement additional monitoring on similar devices and network segments to detect any further anomalous data transfer activities, based on the rule’s description and “Response and remediation” section of the note.

]]>lowadvisorydata-exfiltrationmachine-learningendpointhttps://feed.craftedsignal.io/briefs/2024-01-rare-process-user/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rare-process-user/A machine learning job detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be unusual within the user's context, potentially indicating defense evasion techniques like masquerading or the use of LOLbins.A machine learning (ML) rule has identified unusual process execution on a Windows endpoint. This detection leverages two ML models from the Elastic ProblemChild integration: a supervised model that predicts malicious processes and an unsupervised model that identifies processes anomalous to the user’s typical behavior. The rule focuses on detecting defense evasion tactics, specifically the potential use of Living-off-the-Land Binaries (LOLbins) or masquerading techniques, which can be difficult to detect with traditional signature-based methods. This detection uses data from the Elastic Endpoint or Winlogbeat and requires the Living off the Land (LotL) Attack Detection integration assets to be installed. This rule was last updated April 1, 2026 and requires Elastic Stack version 9.4.0 or higher.

Attack Chain

1. Initial Access: The attacker gains initial access through an existing user account.
2. Execution: The attacker executes a standard Windows process (e.g., cmd.exe, powershell.exe).
3. Defense Evasion: The attacker leverages LOLbins to perform malicious actions, blending in with legitimate system activity.
4. Masquerading: The attacker renames or moves malicious tools to mimic legitimate system files.
5. Privilege Escalation (Optional): The attacker attempts to escalate privileges using the compromised process.
6. Lateral Movement (Optional): The attacker uses the compromised process to move laterally to other systems.
7. Command and Control (Optional): The process establishes a connection to a command and control server for further instructions.
8. Impact: The attacker achieves their objective, such as data exfiltration, system compromise, or persistence.

Impact

A successful attack using these techniques can lead to a full system compromise, data theft, or the installation of persistent backdoors. The use of LOLbins makes detection difficult, potentially allowing attackers to operate undetected for extended periods. The impact is amplified by the potential for lateral movement to other systems within the network. While the severity is rated “low”, successful exploitation allows attackers to move laterally and establish persistence in the network.

Recommendation

• Ensure the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as detailed in the rule setup (Elastic Defend or Winlogbeat).
• Investigate alerts generated by the “Unusual Process Spawned by a User” rule (rule_id: 40155ee4-1e6a-4e4d-a63b-e8ba16980cfb) to determine the legitimacy of the flagged process.
• Tune the anomaly threshold (anomaly_threshold: 75) based on your environment to reduce false positives, as mentioned in the rule parameters.
• Review the “False positive analysis” section in the rule’s note for guidance on identifying and excluding legitimate processes.
• Implement the provided Sigma rule to detect unusual command line arguments associated with LOLBins.

]]>lowadvisoryendpointwindowsdefense evasionmachine learninglolbins