{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/evasion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["discovery","evasion","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using obfuscated IP addresses (e.g., hexadecimal, octal, or other encoded representations) within download commands to bypass security measures that rely on simple IP address blacklisting or pattern matching. This technique makes it more difficult to identify malicious network connections based on simple string matching. The observed commands include \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e, \u003ccode\u003eInvoke-RestMethod\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003eDownloadFile\u003c/code\u003e, and \u003ccode\u003eDownloadString\u003c/code\u003e. Defenders need to detect these obfuscated IPs to identify and block malicious download attempts. This technique has been observed across various attack campaigns and is a common tactic used to deliver malware while attempting to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command containing an obfuscated IP address. This may involve converting a standard IP address into its hexadecimal, octal, or decimal representation.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes a command-line tool such as \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, or PowerShell\u0026rsquo;s \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e to initiate a download. The command includes the obfuscated IP within a URL.\u003c/li\u003e\n\u003cli\u003eThe command interpreter resolves the obfuscated IP address back to its standard format before initiating the network connection.\u003c/li\u003e\n\u003cli\u003eThe target host establishes a connection to the attacker\u0026rsquo;s server at the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server delivers a malicious payload, such as a script, executable, or document containing macros.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed on the target system, potentially leading to further compromise, such as privilege escalation or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the download and execution of malware, potentially compromising the targeted system. This can result in data breaches, system disruption, or financial loss. The use of obfuscation techniques makes it more difficult to detect and prevent these attacks, increasing the risk of successful compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Obfuscated IP Download Activity\u0026rdquo; to your SIEM to detect the use of obfuscated IP addresses in download commands. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events that match the Sigma rule, paying close attention to the command-line arguments.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional network-based detection mechanisms to identify connections to suspicious IP addresses, even if they are obfuscated.\u003c/li\u003e\n\u003cli\u003eMonitor process creation logs (Sysmon) for processes executing download commands like \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e, \u003ccode\u003eInvoke-RestMethod\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003eDownloadFile\u003c/code\u003e, and \u003ccode\u003eDownloadString\u003c/code\u003e with suspicious arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:29:00Z","date_published":"2024-01-27T18:29:00Z","id":"/briefs/2024-01-obfuscated-ip-download/","summary":"This brief details the use of obfuscated IP addresses within download commands, often employed to evade detection by hiding the true destination of malicious downloads.","title":"Detection of Obfuscated IP Address Usage in Download Commands","url":"https://feed.craftedsignal.io/briefs/2024-01-obfuscated-ip-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["html-smuggling","phishing","initial-access","windows","evasion"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious sequence of events indicative of HTML smuggling, where adversaries embed malicious payloads within seemingly benign HTML files to bypass security filters. The rule focuses on Windows systems and monitors for the creation of HTML files exhibiting characteristics such as high entropy (\u0026gt;=5) and large size (\u0026gt;=150,000 bytes) or very large size (\u0026gt;=1,000,000 bytes) within common download and temporary directories (e.g., Downloads, Content.Outlook, AppData\\Local\\Temp). Subsequently, it tracks the execution of browser processes (e.g., chrome.exe, firefox.exe, iexplore.exe) opening these HTML files with specific command-line arguments (e.g., \u0026ndash;single-argument, -url). The detection aims to uncover initial access attempts, defense evasion, and user execution of malicious files delivered through HTML smuggling techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a phishing email containing a malicious HTML attachment.\u003c/li\u003e\n\u003cli\u003eThe user opens the attachment, triggering the download of a large HTML file to the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe HTML file contains obfuscated JavaScript code that, when executed, reconstructs a malicious payload (e.g., a Cobalt Strike beacon).\u003c/li\u003e\n\u003cli\u003eThe file is saved with an .htm or .html extension in a temporary or download directory.\u003c/li\u003e\n\u003cli\u003eA browser process (chrome.exe, firefox.exe, etc.) is initiated to open the HTML file, often with specific arguments like \u0026ldquo;\u0026ndash;single-argument\u0026rdquo; or \u0026ldquo;-url\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe browser renders the HTML, executing the embedded JavaScript.\u003c/li\u003e\n\u003cli\u003eThe JavaScript deobfuscates and executes the smuggled payload, initiating a reverse shell connection to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the compromised system and can proceed with lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via HTML smuggling can lead to initial access to a targeted system, potentially enabling attackers to perform lateral movement, data exfiltration, or ransomware deployment. While the specific number of victims and targeted sectors are not explicitly stated in the source, the technique is broadly applicable and can affect any Windows user who interacts with malicious HTML attachments or downloads from untrusted sources. The consequences of successful exploitation range from data breaches and financial losses to reputational damage and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune the file path and browser process filters for your environment.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on common download and temporary directories to detect the creation of suspicious HTML files as described in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement network egress filtering to block connections to known malicious command-and-control servers and domains to prevent payload execution.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening attachments from untrusted sources and train them to recognize phishing emails as outlined in the Overview.\u003c/li\u003e\n\u003cli\u003eUtilize endpoint detection and response (EDR) solutions to monitor process execution and network connections for anomalous behavior associated with HTML smuggling.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-html-creation/","summary":"This detection identifies the creation of HTML files with high entropy and large size, followed by execution via a browser process, indicating potential HTML smuggling and malicious payload delivery on Windows systems.","title":"Suspicious HTML File Creation Leading to Potential Payload Delivery","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-html-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["reconnaissance","evasion","command-line"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to obscure their activities by using obfuscated IP addresses within command-line tools. This is done to bypass simple pattern matching or detection rules that rely on standard IP address formats. The Sigma rule \u0026ldquo;Obfuscated IP Via CLI\u0026rdquo; published on 2022-08-03 and modified on 2026-03-16, focuses on detecting this behavior by identifying command lines containing hexadecimal, octal, or other encoded representations of IP addresses used with \u003ccode\u003eping.exe\u003c/code\u003e or \u003ccode\u003earp.exe\u003c/code\u003e. This activity can indicate reconnaissance, command and control communication, or lateral movement attempts where attackers are trying to hide the true destination of their network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a command prompt (cmd.exe) or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eping.exe\u003c/code\u003e or \u003ccode\u003earp.exe\u003c/code\u003e to test network connectivity.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command line that includes an obfuscated IP address (e.g., hexadecimal, octal). For example: \u003ccode\u003eping 0121.04.0174.012\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe command is executed, attempting to resolve or connect to the obfuscated IP address.\u003c/li\u003e\n\u003cli\u003eIf the obfuscation bypasses security controls, the tool resolves the address.\u003c/li\u003e\n\u003cli\u003eThe attacker gathers information about the target system (if ping is successful) or network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this information for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of obfuscated IPs can lead to undetected reconnaissance, lateral movement, and data exfiltration. By hiding the true destination of network traffic, attackers can bypass traditional security measures and gain a foothold within the network. The impact includes potential data breaches, system compromise, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Obfuscated IP Via CLI\u0026rdquo; Sigma rule to your SIEM to detect command-line execution with obfuscated IP addresses.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging for \u003ccode\u003eping.exe\u003c/code\u003e and \u003ccode\u003earp.exe\u003c/code\u003e to ensure the Sigma rule has the necessary data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor command-line activity for unusual patterns or arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-obfuscated-ip-cli/","summary":"The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.","title":"Detection of Obfuscated IP Addresses via Command Line Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-03-obfuscated-ip-cli/"}],"language":"en","title":"CraftedSignal Threat Feed — Evasion","version":"https://jsonfeed.org/version/1.1"}