{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-share/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","file-share","windows"],"_cs_type":"advisory","_cs_vendors":["Veeam Software Group GmbH","Elasticsearch, Inc.","PDQ.com Corporation","CrowdStrike, Inc.","Microsoft","ZOHO Corporation Private Limited","BeyondTrust Corporation","CyberArk Software Ltd","Sophos Ltd","AO Kaspersky Lab","Anthropic, PBC","Adobe Inc.","Netwrix Corporation"],"content_html":"\u003cp\u003eThis detection identifies lateral movement via network file shares by detecting the execution of a file that was recently created by the virtual system process (PID 4), commonly associated with file share operations. Adversaries may leverage network shares to distribute malicious payloads or tools across the network to compromise additional hosts. This technique allows attackers to execute code remotely, expanding their foothold within the environment. The rule focuses on Windows systems and monitors for newly created executable files (e.g., .exe, .scr, .pif, .com) that are then executed. Exceptions are made for known legitimate software vendors and specific file paths to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable (e.g., malware, custom tool) to a network file share. The file creation event is attributed to PID 4.\u003c/li\u003e\n\u003cli\u003eA user or automated process on a remote system accesses the file share.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is copied or accessed from the network share onto the remote system.\u003c/li\u003e\n\u003cli\u003eThe user, either intentionally or through deception, executes the malicious executable.\u003c/li\u003e\n\u003cli\u003eThe executed file initiates malicious activities on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this foothold for further lateral movement, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation through remote execution via file shares can lead to widespread compromise across the network. Attackers can gain unauthorized access to sensitive data, install backdoors, or deploy ransomware. The impact ranges from data breaches and financial losses to significant disruption of business operations. The severity of the impact depends on the attacker\u0026rsquo;s objectives and the extent of their lateral movement within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious executions of files created by PID 4 on Windows systems.\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file uploads.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events (event.type in (\u0026ldquo;creation\u0026rdquo;, \u0026ldquo;change\u0026rdquo;)) on network shares for unusual activity using file integrity monitoring tools.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution chain and associated network connections.\u003c/li\u003e\n\u003cli\u003eEnrich process creation events (category: process_creation) with code signature information to validate the legitimacy of executed files.\u003c/li\u003e\n\u003cli\u003eUse osquery to retrieve the files\u0026rsquo; SHA-256 hash values using the PowerShell \u003ccode\u003eGet-FileHash\u003c/code\u003e cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-execution-via-file-shares/","summary":"This rule identifies the execution of a file that was created by the virtual system process, potentially indicating lateral movement via network file shares in Windows environments.","title":"Remote Execution via File Shares","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-execution-via-file-shares/"}],"language":"en","title":"CraftedSignal Threat Feed — File-Share","version":"https://jsonfeed.org/version/1.1"}