https://feed.craftedsignal.io/tags/evasion/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 27 Jan 2024 18:29:00 +0000https://feed.craftedsignal.io/briefs/2024-01-obfuscated-ip-download/Sat, 27 Jan 2024 18:29:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-obfuscated-ip-download/This brief details the use of obfuscated IP addresses within download commands, often employed to evade detection by hiding the true destination of malicious downloads.Attackers are increasingly using obfuscated IP addresses (e.g., hexadecimal, octal, or other encoded representations) within download commands to bypass security measures that rely on simple IP address blacklisting or pattern matching. This technique makes it more difficult to identify malicious network connections based on simple string matching. The observed commands include Invoke-WebRequest, Invoke-RestMethod, wget, curl, DownloadFile, and DownloadString. Defenders need to detect these obfuscated IPs to identify and block malicious download attempts. This technique has been observed across various attack campaigns and is a common tactic used to deliver malware while attempting to evade detection.

Attack Chain

1. An attacker gains initial access, potentially through phishing or exploiting a vulnerability.
2. The attacker crafts a command containing an obfuscated IP address. This may involve converting a standard IP address into its hexadecimal, octal, or decimal representation.
3. The attacker utilizes a command-line tool such as curl, wget, or PowerShell’s Invoke-WebRequest to initiate a download. The command includes the obfuscated IP within a URL.
4. The command interpreter resolves the obfuscated IP address back to its standard format before initiating the network connection.
5. The target host establishes a connection to the attacker’s server at the resolved IP address.
6. The attacker’s server delivers a malicious payload, such as a script, executable, or document containing macros.
7. The downloaded payload is executed on the target system, potentially leading to further compromise, such as privilege escalation or lateral movement.
8. The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistent access.

Impact

Successful exploitation can lead to the download and execution of malware, potentially compromising the targeted system. This can result in data breaches, system disruption, or financial loss. The use of obfuscation techniques makes it more difficult to detect and prevent these attacks, increasing the risk of successful compromise.

Recommendation

• Deploy the Sigma rule “Obfuscated IP Download Activity” to your SIEM to detect the use of obfuscated IP addresses in download commands. Tune the rule for your environment to minimize false positives.
• Investigate any process creation events that match the Sigma rule, paying close attention to the command-line arguments.
• Consider implementing additional network-based detection mechanisms to identify connections to suspicious IP addresses, even if they are obfuscated.
• Monitor process creation logs (Sysmon) for processes executing download commands like Invoke-WebRequest, Invoke-RestMethod, wget, curl, DownloadFile, and DownloadString with suspicious arguments.

]]>mediumadvisorydiscoveryevasionobfuscationhttps://feed.craftedsignal.io/briefs/2024-01-suspicious-html-creation/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-html-creation/This detection identifies the creation of HTML files with high entropy and large size, followed by execution via a browser process, indicating potential HTML smuggling and malicious payload delivery on Windows systems.This detection rule identifies a suspicious sequence of events indicative of HTML smuggling, where adversaries embed malicious payloads within seemingly benign HTML files to bypass security filters. The rule focuses on Windows systems and monitors for the creation of HTML files exhibiting characteristics such as high entropy (>=5) and large size (>=150,000 bytes) or very large size (>=1,000,000 bytes) within common download and temporary directories (e.g., Downloads, Content.Outlook, AppData\Local\Temp). Subsequently, it tracks the execution of browser processes (e.g., chrome.exe, firefox.exe, iexplore.exe) opening these HTML files with specific command-line arguments (e.g., –single-argument, -url). The detection aims to uncover initial access attempts, defense evasion, and user execution of malicious files delivered through HTML smuggling techniques.

Attack Chain

1. A user receives a phishing email containing a malicious HTML attachment.
2. The user opens the attachment, triggering the download of a large HTML file to the Downloads folder.
3. The HTML file contains obfuscated JavaScript code that, when executed, reconstructs a malicious payload (e.g., a Cobalt Strike beacon).
4. The file is saved with an .htm or .html extension in a temporary or download directory.
5. A browser process (chrome.exe, firefox.exe, etc.) is initiated to open the HTML file, often with specific arguments like “–single-argument” or “-url”.
6. The browser renders the HTML, executing the embedded JavaScript.
7. The JavaScript deobfuscates and executes the smuggled payload, initiating a reverse shell connection to a command-and-control server.
8. The attacker gains initial access to the compromised system and can proceed with lateral movement or data exfiltration.

Impact

Successful exploitation via HTML smuggling can lead to initial access to a targeted system, potentially enabling attackers to perform lateral movement, data exfiltration, or ransomware deployment. While the specific number of victims and targeted sectors are not explicitly stated in the source, the technique is broadly applicable and can affect any Windows user who interacts with malicious HTML attachments or downloads from untrusted sources. The consequences of successful exploitation range from data breaches and financial losses to reputational damage and operational disruption.

Recommendation

• Deploy the Sigma rules provided in this brief to your SIEM and tune the file path and browser process filters for your environment.
• Enable file integrity monitoring (FIM) on common download and temporary directories to detect the creation of suspicious HTML files as described in the Sigma rules.
• Implement network egress filtering to block connections to known malicious command-and-control servers and domains to prevent payload execution.
• Educate users about the risks of opening attachments from untrusted sources and train them to recognize phishing emails as outlined in the Overview.
• Utilize endpoint detection and response (EDR) solutions to monitor process execution and network connections for anomalous behavior associated with HTML smuggling.

]]>mediumadvisoryhtml-smugglingphishinginitial-accesswindowsevasionhttps://feed.craftedsignal.io/briefs/2024-01-03-obfuscated-ip-cli/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-obfuscated-ip-cli/The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.Attackers may attempt to obscure their activities by using obfuscated IP addresses within command-line tools. This is done to bypass simple pattern matching or detection rules that rely on standard IP address formats. The Sigma rule “Obfuscated IP Via CLI” published on 2022-08-03 and modified on 2026-03-16, focuses on detecting this behavior by identifying command lines containing hexadecimal, octal, or other encoded representations of IP addresses used with ping.exe or arp.exe. This activity can indicate reconnaissance, command and control communication, or lateral movement attempts where attackers are trying to hide the true destination of their network traffic.

Attack Chain

1. An attacker gains initial access to a Windows system.
2. The attacker opens a command prompt (cmd.exe) or PowerShell.
3. The attacker uses ping.exe or arp.exe to test network connectivity.
4. The attacker crafts a command line that includes an obfuscated IP address (e.g., hexadecimal, octal). For example: ping 0121.04.0174.012
5. The command is executed, attempting to resolve or connect to the obfuscated IP address.
6. If the obfuscation bypasses security controls, the tool resolves the address.
7. The attacker gathers information about the target system (if ping is successful) or network.
8. The attacker uses this information for further exploitation or lateral movement.

Impact

Successful exploitation of obfuscated IPs can lead to undetected reconnaissance, lateral movement, and data exfiltration. By hiding the true destination of network traffic, attackers can bypass traditional security measures and gain a foothold within the network. The impact includes potential data breaches, system compromise, and disruption of services.

Recommendation

• Deploy the “Obfuscated IP Via CLI” Sigma rule to your SIEM to detect command-line execution with obfuscated IP addresses.
• Enable process creation logging for ping.exe and arp.exe to ensure the Sigma rule has the necessary data.
• Investigate any alerts generated by the Sigma rule to determine if the activity is malicious.
• Implement network segmentation to limit the scope of potential lateral movement.
• Monitor command-line activity for unusual patterns or arguments.

]]>mediumadvisoryreconnaissanceevasioncommand-line