{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-shares/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","file-shares","windows"],"_cs_type":"advisory","_cs_vendors":["Veeam Software Group GmbH","Elasticsearch, Inc.","PDQ.com Corporation","CrowdStrike, Inc.","Microsoft","ZOHO Corporation Private Limited","BeyondTrust Corporation","CyberArk Software Ltd","Sophos Ltd","AO Kaspersky Lab","Anthropic, PBC","Adobe Inc.","Netwrix Corporation"],"content_html":"\u003cp\u003eThis detection rule identifies a specific sequence of events that may indicate lateral movement within a Windows environment. The rule focuses on scenarios where a file is created or modified by the \u003ccode\u003eSystem\u003c/code\u003e process (PID 4), which is then subsequently executed. This behavior is often associated with attackers leveraging network file shares to distribute malicious tools or payloads across multiple systems. The rule aims to detect this activity while excluding legitimate software installations or updates by filtering out processes signed by trusted vendors such as Veeam, Elasticsearch, CrowdStrike, and Microsoft. This exclusion is designed to reduce false positives and focus on potentially malicious activity. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable (e.g., EXE, SCR, PIF, COM) to a network file share accessible to other systems. The file\u0026rsquo;s header starts with \u003ccode\u003e4d5a\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSystem\u003c/code\u003e process (PID 4) creates or modifies the malicious executable on the target system via the network share. This can happen through normal network file operations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses lateral movement techniques, such as exploiting SMB/Windows Admin Shares, to remotely trigger the execution of the malicious executable on the target system.\u003c/li\u003e\n\u003cli\u003eThe malicious executable begins to execute, initiating attacker-controlled code on the target system.\u003c/li\u003e\n\u003cli\u003eThe process attempts to establish command and control (C2) communication with an external server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to further propagate within the network, potentially deploying additional malicious tools or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread compromise of systems within the network. Attackers can leverage compromised systems for data theft, deployment of ransomware, or other malicious activities. The impact can range from business disruption and data loss to significant financial damage and reputational harm. Even with trusted vendor exclusions, a determined adversary could still bypass protections, potentially leading to the compromise of critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect remote execution via file shares, and tune exclusions for your specific environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to generate the necessary process and file events for the Sigma rule to function effectively (see \u003ccode\u003elogs-endpoint.events.process-*\u003c/code\u003e, \u003ccode\u003elogs-endpoint.events.file-*\u003c/code\u003e in \u003ccode\u003eindex\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file uploads (see \u0026ldquo;Review the privileges needed to write to the network share\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine the legitimacy of the activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on network shares to detect unauthorized file modifications or additions.\u003c/li\u003e\n\u003cli\u003eUse threat intelligence platforms to enrich file hash values and identify known malicious files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-execution-file-shares/","summary":"The rule identifies the execution of a file created by the virtual system process, potentially indicating lateral movement via network file shares, by detecting a sequence of file creation/modification followed by process execution, excluding trusted vendors.","title":"Remote Execution via File Shares","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-execution-file-shares/"}],"language":"en","title":"CraftedSignal Threat Feed — File-Shares","version":"https://jsonfeed.org/version/1.1"}