{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/impact/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["low"],"_cs_tags":["defense evasion","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Sysinternals SDelete utility is a legitimate tool developed by Microsoft for securely deleting files by overwriting and renaming them multiple times. While intended for secure data disposal, adversaries can abuse SDelete to remove forensic artifacts, destroy evidence of their activities, and impede data recovery efforts after a successful ransomware attack or data theft. This activity can be used as a post-exploitation technique. This detection rule focuses on identifying file name patterns indicative of SDelete\u0026rsquo;s operation, specifically detecting files with names resembling \u0026ldquo;*AAA.AAA\u0026rdquo;. The rule is designed to work with various endpoint detection and response solutions, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and CrowdStrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain the necessary permissions to delete files.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or utilizes an existing copy of the SDelete utility.\u003c/li\u003e\n\u003cli\u003eThe attacker executes SDelete against targeted files or directories.\u003c/li\u003e\n\u003cli\u003eSDelete overwrites the targeted file(s) multiple times with random data.\u003c/li\u003e\n\u003cli\u003eSDelete renames the file(s) multiple times, often with patterns such as \u0026ldquo;*AAA.AAA\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eSDelete deletes the file(s) making recovery difficult.\u003c/li\u003e\n\u003cli\u003eThe attacker removes SDelete or any associated tools to further cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can result in the permanent deletion of crucial forensic artifacts, log files, or even critical data. This can severely hinder incident response efforts, making it challenging to identify the scope of the attack, the attacker\u0026rsquo;s methods, and the compromised assets. The number of victims and affected sectors depends on the scale of the initial breach and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Secure File Deletion via SDelete Utility\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule, focusing on the process execution chain and identifying the user account involved.\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to the user account to ensure the least privilege principle is followed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to enhance visibility into file creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-28-sdelete-filename-rename/","summary":"This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.","title":"Potential Secure File Deletion via SDelete Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-28-sdelete-filename-rename/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["medium"],"_cs_tags":["github","audit","data-loss","impact"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eThis detection strategy focuses on identifying potentially malicious or unauthorized deletion activities within a GitHub organization. The detections hinge on monitoring GitHub audit logs for specific actions related to the deletion of critical resources. This includes actions such as deleting codespaces (\u003ccode\u003ecodespaces.destroy\u003c/code\u003e), deleting environments (\u003ccode\u003eenvironment.delete\u003c/code\u003e), deleting projects (\u003ccode\u003eproject.delete\u003c/code\u003e), and destroying repositories (\u003ccode\u003erepo.destroy\u003c/code\u003e). This activity is important for defenders because these actions can lead to data loss, service disruption, or compromise of the software development lifecycle. The detections are triggered by events recorded within the GitHub audit log, requiring audit log streaming to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to a GitHub account with sufficient privileges. This could be achieved through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates privileges within the GitHub organization to gain the necessary permissions to delete resources if they don\u0026rsquo;t already have them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies valuable codespaces, environments, projects, or repositories within the GitHub organization that they intend to delete.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Codespaces:\u003c/strong\u003e The attacker executes the \u003ccode\u003ecodespaces.destroy\u003c/code\u003e action, deleting a specific codespace instance, potentially disrupting development workflows.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Environments:\u003c/strong\u003e The attacker executes the \u003ccode\u003eenvironment.delete\u003c/code\u003e action, removing a specific environment configuration, potentially affecting deployment processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Projects:\u003c/strong\u003e The attacker executes the \u003ccode\u003eproject.delete\u003c/code\u003e action, deleting a project board and its associated tasks, impacting project management.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Repositories:\u003c/strong\u003e The attacker executes the \u003ccode\u003erepo.destroy\u003c/code\u003e action, permanently deleting a repository, leading to code loss and potential service disruption.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The deletion of critical resources disrupts development workflows, causes data loss, and potentially compromises the software development lifecycle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these actions can lead to significant disruption of software development workflows, data loss, and potential compromise of the software supply chain. The number of affected resources and the severity of the impact depend on the scope of the attacker\u0026rsquo;s access and the criticality of the deleted resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub audit log streaming to capture the necessary events for detection (reference: logsource definition).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003ecodespaces.destroy\u003c/code\u003e, \u003ccode\u003eenvironment.delete\u003c/code\u003e, \u003ccode\u003eproject.delete\u003c/code\u003e, and \u003ccode\u003erepo.destroy\u003c/code\u003e actions in the GitHub audit logs, and tune for your environment (reference: rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine the legitimacy of the deletion activity and the actor involved (reference: rules, falsepositives).\u003c/li\u003e\n\u003cli\u003eValidate the \u0026ldquo;actor\u0026rdquo; field in the audit logs to ensure the deletion activity is performed by an authorized user (reference: falsepositives).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T10:00:00Z","date_published":"2026-04-28T10:00:00Z","id":"/briefs/2026-04-github-delete-action/","summary":"This brief focuses on detecting deletion actions within GitHub audit logs, specifically targeting the deletion of codespaces, environments, projects, and repositories, potentially indicating malicious activity or insider threats.","title":"Detection of Github Delete Actions in Audit Logs","url":"https://feed.craftedsignal.io/briefs/2026-04-github-delete-action/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["dell","powerprotect","datadomain","vulnerability","privilege-escalation","defense-evasion","credential-access","impact"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities exist within Dell PowerProtect Data Domain OS, potentially enabling a malicious actor to compromise systems. Successful exploitation could lead to arbitrary code execution with root privileges, privilege escalation to administrator level, circumvention of security mechanisms, data manipulation, sensitive information disclosure, and the execution of other unspecified malicious activities. The vulnerabilities could be exploited to gain complete control over the affected systems, leading to significant data loss, disruption of services, or other severe consequences. The full scope of affected versions and the specific vulnerabilities involved are not detailed in the source information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the broad nature of the advisory, the following attack chain is constructed based on the potential capabilities granted by exploiting the vulnerabilities:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker exploits a remote code execution vulnerability in Dell PowerProtect Data Domain OS, potentially through a network service or web interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages an additional vulnerability to escalate privileges from an initial low-privilege shell to root access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e With root privileges, the attacker disables or bypasses security measures, such as intrusion detection systems or anti-malware software.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker gains access to stored credentials, such as those used for backups or system administration, by dumping the system\u0026rsquo;s credential store.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Manipulation:\u003c/strong\u003e The attacker modifies data stored within the Dell PowerProtect Data Domain system, potentially corrupting backups or injecting malicious code into stored files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure:\u003c/strong\u003e The attacker extracts sensitive information, such as customer data, internal documents, or system configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using the compromised Data Domain OS, the attacker can pivot to other systems within the network leveraging the credentials obtained or the trust relationships established.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, which may include data exfiltration, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in significant damage to organizations utilizing Dell PowerProtect Data Domain OS. This could include data loss due to corruption or deletion, financial losses from service disruption, reputational damage, and legal repercussions from the disclosure of sensitive information. The absence of specific victim counts or sector targeting makes quantifying the impact difficult, but the potential for widespread disruption and data compromise is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate Dell\u0026rsquo;s security advisories and apply the necessary patches to address the vulnerabilities in PowerProtect Data Domain OS as soon as they become available.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised Data Domain OS on other systems.\u003c/li\u003e\n\u003cli\u003eEnable logging on Dell PowerProtect Data Domain OS, including process creation and network connection logs, to detect potential exploitation attempts and investigate suspicious activity, allowing the deployment of the Sigma rules below.\u003c/li\u003e\n\u003cli\u003eMonitor for unauthorized access attempts to Dell PowerProtect Data Domain OS through webserver logs, specifically looking for suspicious cs-uri-query strings (see rule \u0026ldquo;Detect Web Request for Potential Dell PowerProtect Exploit\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T08:05:52Z","date_published":"2026-04-21T08:05:52Z","id":"/briefs/2026-04-dell-powerprotect-vulns/","summary":"Multiple vulnerabilities in Dell PowerProtect Data Domain OS allow an attacker to execute arbitrary code with root privileges, escalate privileges to administrator, bypass security measures, manipulate data, disclose sensitive information, or conduct unspecified attacks.","title":"Multiple Vulnerabilities in Dell PowerProtect Data Domain OS","url":"https://feed.craftedsignal.io/briefs/2026-04-dell-powerprotect-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","saml","iam","deletion","impact"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe deletion of a SAML provider in AWS can be a significant indicator of malicious activity. An attacker who has gained initial access to an AWS environment may attempt to remove the SAML provider used by the information security team or system administrators. This action can severely impede the team\u0026rsquo;s ability to investigate and respond to ongoing attacks. By disrupting access, the attacker gains a window of opportunity to further escalate privileges, move laterally within the environment, and achieve their objectives without immediate detection or intervention. This activity directly impacts the availability and integrity of resources within the AWS cloud environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained to an AWS account through compromised credentials or other means (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing IAM resources, including SAML providers, using AWS CLI or API calls.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the SAML provider used by administrative or security teams.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDeleteSAMLProvider\u003c/code\u003e API call via the AWS CLI, API, or AWS Management Console (T1531).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDeleteSAMLProvider\u003c/code\u003e event is logged in AWS CloudTrail with a \u0026ldquo;success\u0026rdquo; status.\u003c/li\u003e\n\u003cli\u003eAdministrative and security teams lose access to AWS resources that require SAML authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to escalate privileges, create new IAM users, or modify existing policies.\u003c/li\u003e\n\u003cli\u003eThe attacker persists in the environment, potentially exfiltrating data or deploying malicious workloads (T1485).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an AWS SAML provider can have serious consequences. It disrupts access for administrators and security personnel, delaying incident response and potentially allowing attackers to further compromise the environment. This can lead to data breaches, service disruptions, and financial losses. The severity of the impact depends on the criticality of the affected AWS resources and the speed of detection and recovery.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS SAML Provider Deletion Activity\u0026rdquo; to your SIEM and tune for your environment to detect this specific event.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eDeleteSAMLProvider\u003c/code\u003e events in AWS CloudTrail, focusing on the user identity, user agent, and source IP address (logsource: aws/cloudtrail).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users, especially those with administrative privileges, to reduce the risk of credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for all IAM roles and users to limit the impact of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-12-19T00:00:00Z","date_published":"2024-12-19T00:00:00Z","id":"/briefs/2024-12-19-aws-saml-provider-deletion/","summary":"An adversary may delete an AWS SAML provider to disrupt administrative access, hindering incident response and potentially escalating privileges within the AWS environment.","title":"AWS SAML Provider Deletion Activity","url":"https://feed.craftedsignal.io/briefs/2024-12-19-aws-saml-provider-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta Identity Engine"],"_cs_severities":["medium"],"_cs_tags":["okta","network-zone","impact"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eOkta network zones define trusted network boundaries for user access. These zones are configured with specific IP address ranges and can be used to restrict access to applications and resources. When an Okta network zone is deactivated or deleted, it can indicate a malicious actor attempting to weaken security policies, potentially allowing unauthorized access from untrusted locations. This activity is relevant for defenders because it may signal a breach in progress or preparation for future attacks. Compromised administrator accounts are often used to make unauthorized configuration changes in SaaS platforms. This alert focuses on activity within the Okta platform itself.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Okta administrator account, potentially through credential theft or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta administrative console.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the network zone configuration within the Okta admin console.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target network zone that restricts access to critical resources.\u003c/li\u003e\n\u003cli\u003eThe attacker deactivates the target network zone, effectively disabling its restrictions. Alternatively, the attacker deletes the network zone.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify other security settings, such as MFA policies, to further weaken the security posture.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the relaxed network restrictions to access sensitive applications or data from previously unauthorized locations.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration or lateral movement, using the compromised Okta session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deactivation or deletion of an Okta network zone can have serious consequences. It can lead to unauthorized access to sensitive applications and data, potentially resulting in data breaches, financial loss, and reputational damage. The impact is especially high if the affected network zone was protecting critical infrastructure or sensitive customer data. Depending on the scope of access granted, a single deactivated zone could expose data belonging to thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Okta Network Zone Deactivated or Deleted\u0026rdquo; Sigma rule to your SIEM to detect this activity (logsource: okta, service: okta, eventType: zone.deactivate/zone.delete).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of network zone deactivation or deletion to determine if they were authorized changes.\u003c/li\u003e\n\u003cli\u003eReview Okta administrator account activity for signs of compromise, such as login attempts from unusual locations.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all Okta administrator accounts to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor the Okta system logs for other suspicious configuration changes, such as modifications to MFA policies or application assignments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:22:00Z","date_published":"2024-01-26T18:22:00Z","id":"/briefs/2024-01-26-okta-network-zone-changes/","summary":"An Okta network zone was deactivated or deleted, potentially indicating malicious activity aimed at bypassing security controls.","title":"Okta Network Zone Deactivation or Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-26-okta-network-zone-changes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["ransomware","impact","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential ransomware activity through the rapid creation of ransom notes via SMB shares. The rule focuses on file creation events originating from the SYSTEM account (PID 4), targeting common ransom note file extensions like .txt, .html, .pdf, and image files. This activity suggests an attacker has achieved lateral movement and is deploying ransom notes across multiple systems. The rule aggregates events within a 60-second window to reduce false positives and focus on high-frequency creation patterns indicative of automated ransomware deployment. Successful detection can help defenders quickly identify and contain ransomware outbreaks before widespread encryption occurs. The original Elastic detection rule was published on 2024-05-03 and updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network using valid accounts or exploits. (T1021.002 - SMB/Windows Admin Shares)\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool to remotely create files over SMB. (T1021.002 - SMB/Windows Admin Shares)\u003c/li\u003e\n\u003cli\u003eThe SYSTEM account (PID 4) on a compromised host is used to create multiple files with the same name but different paths (C:*) over SMB.\u003c/li\u003e\n\u003cli\u003eThe created files have file extensions commonly associated with ransom notes: .txt, .htm, .html, .hta, .pdf, .jpg, .bmp, .png.\u003c/li\u003e\n\u003cli\u003eThe files are dropped into at least 3 unique paths within a short time frame (60 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts data and leaves the ransom notes to instruct victims on how to pay the ransom. (T1486 - Data Encrypted for Impact)\u003c/li\u003e\n\u003cli\u003eThe organization experiences data loss, financial damage, and reputational harm.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful ransomware attacks can lead to significant data loss, financial costs associated with ransom payments, recovery efforts, and reputational damage. Organizations may experience business disruption, regulatory fines, and legal liabilities. The Akira ransomware group, referenced in the original rule\u0026rsquo;s documentation, has been known to target various sectors, demanding substantial ransoms from victims. The widespread distribution of ransom notes indicates an advanced stage of the ransomware attack, necessitating immediate containment to prevent further data encryption and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Ransomware Note File Dropped via SMB\u003c/code\u003e to your SIEM to detect suspicious file creation activity indicative of ransomware deployment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend for enhanced endpoint detection and response capabilities, as recommended in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eMonitor incoming network connections to port 445 (SMB) on critical assets, as suggested in the rule\u0026rsquo;s triage analysis.\u003c/li\u003e\n\u003cli\u003eInvestigate file names with unusual extensions to identify potential ransom notes, as mentioned in the triage analysis.\u003c/li\u003e\n\u003cli\u003eIsolate any hosts identified as creating multiple note files over SMB to prevent further lateral movement and data encryption, as described in the rule\u0026rsquo;s response and remediation steps.\u003c/li\u003e\n\u003cli\u003eReview and enforce network segmentation policies to limit lateral movement and reduce the impact of potential ransomware attacks (TA0008).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-potential-ransomware-smb/","summary":"This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.","title":"Potential Ransomware Behavior - Note Files Dropped via SMB","url":"https://feed.craftedsignal.io/briefs/2024-01-22-potential-ransomware-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub"],"_cs_severities":["low"],"_cs_tags":["github","repository","archive","unarchive","persistence","impact","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized changes to GitHub repository archive status. Attackers may archive or unarchive repositories as a means of persistence, to impact the availability of resources, or to impair defenses by hiding malicious code. The activity is logged within GitHub\u0026rsquo;s audit logs and can be monitored to identify potentially malicious actions. Monitoring these events can help organizations identify and respond to unauthorized modifications of their GitHub repositories. This is especially relevant for organizations relying heavily on GitHub for code management and collaboration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with repository administration privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub platform using the compromised credentials or a stolen session token.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the settings page of a target repository.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the repository\u0026rsquo;s archive status, either archiving or unarchiving it depending on their objective.\u003c/li\u003e\n\u003cli\u003eGitHub logs the \u0026lsquo;repo.archived\u0026rsquo; or \u0026lsquo;repo.unarchived\u0026rsquo; action in the organization\u0026rsquo;s audit logs.\u003c/li\u003e\n\u003cli\u003e(If archiving) Legitimate users may lose access to the repository and its code, causing disruption.\u003c/li\u003e\n\u003cli\u003e(If unarchiving) The attacker might reintroduce vulnerable code or malicious content into an active repository.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to exploit the unarchived repository for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of unauthorized repository archiving or unarchiving can range from temporary disruption of services to the reintroduction of vulnerable code. A successful attack could lead to data breaches, code compromise, or supply chain attacks. The number of affected repositories depends on the scope of the attacker\u0026rsquo;s access and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GitHub Repository Archive Status Changed\u0026rdquo; to your SIEM and tune for your environment. This rule detects the \u003ccode\u003erepo.archived\u003c/code\u003e and \u003ccode\u003erepo.unarchived\u003c/code\u003e actions in GitHub audit logs (logsource: github, service: audit).\u003c/li\u003e\n\u003cli\u003eReview GitHub audit logs regularly for unexpected repository archiving or unarchiving events.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected events to determine if the actions were authorized.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T15:00:00Z","date_published":"2024-01-04T15:00:00Z","id":"/briefs/2024-01-github-repo-archive-status-changed/","summary":"Detection of GitHub repository archiving or unarchiving events, which could indicate malicious activity such as persistence, impact, or defense impairment.","title":"GitHub Repository Archive Status Changed","url":"https://feed.craftedsignal.io/briefs/2024-01-github-repo-archive-status-changed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Backup Exec","Veeam","Microsoft Power BI Enterprise Gateway","Trend Micro"],"_cs_severities":["medium"],"_cs_tags":["impact","backup deletion","ransomware"],"_cs_type":"advisory","_cs_vendors":["Elastic","Veritas","Veeam","Trend Micro","Microsoft"],"content_html":"\u003cp\u003eThis rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro\u0026rsquo;s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the target Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify backup file locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a non-backup related process (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to delete backup files.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veeam backup files with extensions \u003ccode\u003eVBK\u003c/code\u003e, \u003ccode\u003eVIB\u003c/code\u003e, and \u003ccode\u003eVBM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veritas Backup Exec files with the \u003ccode\u003eBKF\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe deletion events are logged by the endpoint detection system.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.\u003c/li\u003e\n\u003cli\u003eSuccessful deletion of backups impairs the victim\u0026rsquo;s ability to recover from ransomware or other destructive attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of backup files can severely impact an organization\u0026rsquo;s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker\u0026rsquo;s leverage and potential financial gain. The rule\u0026rsquo;s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veeam Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veritas Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.\u003c/li\u003e\n\u003cli\u003eEnable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-03-backup-deletion/","summary":"This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.","title":"Third-party Backup Files Deleted via Unexpected Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-backup-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["boot-configuration","bcdedit","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of \u003ccode\u003ebcdedit.exe\u003c/code\u003e with specific arguments that modify the boot configuration data (BCD) store in Windows systems. Attackers or malware may use this technique to disable Windows Error Recovery (\u003ccode\u003erecoveryenabled\u003c/code\u003e) or to ignore errors during the boot process (\u003ccode\u003ebootstatuspolicy ignoreallfailures\u003c/code\u003e). These modifications are often performed to prevent systems from recovering properly after an attack, particularly in ransomware scenarios. The rule is designed to work with data from Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon. The detection logic focuses on process execution events that include the relevant \u003ccode\u003ebcdedit.exe\u003c/code\u003e command-line arguments. Defenders should be aware of legitimate uses of \u003ccode\u003ebcdedit.exe\u003c/code\u003e by administrators for troubleshooting or data recovery purposes, so context is crucial.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain administrative access, required to modify boot configuration settings.\u003c/li\u003e\n\u003cli\u003eReconnaissance: The attacker performs reconnaissance to identify the system\u0026rsquo;s configuration and identify appropriate targets for modification.\u003c/li\u003e\n\u003cli\u003eDisable Recovery: The attacker uses \u003ccode\u003ebcdedit.exe\u003c/code\u003e to disable Windows Error Recovery using the \u003ccode\u003e/set {default} recoveryenabled No\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eIgnore Boot Failures: The attacker uses \u003ccode\u003ebcdedit.exe\u003c/code\u003e to set the boot status policy to ignore all failures using the \u003ccode\u003e/set {default} bootstatuspolicy ignoreallfailures\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eSystem Impact: By modifying the boot configuration, the attacker inhibits system recovery, making it harder for the system to recover from errors or malicious activity.\u003c/li\u003e\n\u003cli\u003ePayload Execution: The attacker deploys and executes the primary malicious payload, such as ransomware, leveraging the modified boot configuration to maximize impact.\u003c/li\u003e\n\u003cli\u003eFinal Objective: The attacker achieves their final objective, which could include data encryption, data theft, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of boot configuration data can lead to significant system instability and data loss. In ransomware attacks, this technique prevents the system from recovering, increasing the likelihood of the victim paying the ransom. While the exact number of affected organizations is unknown, this technique is widely used in ransomware campaigns and can affect any Windows system if successfully executed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Modification of Boot Configuration\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect the malicious use of \u003ccode\u003ebcdedit.exe\u003c/code\u003e described in this brief.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture \u003ccode\u003ebcdedit.exe\u003c/code\u003e executions and their command-line arguments (Sysmon Event ID 1).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003ebcdedit.exe\u003c/code\u003e modifying boot configuration settings to determine legitimacy, as described in the rule\u0026rsquo;s \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for unexpected processes running \u003ccode\u003ebcdedit.exe\u003c/code\u003e with arguments related to disabling recovery or ignoring boot failures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-bcdedit-boot-config-modification/","summary":"This rule identifies the use of bcdedit.exe to modify boot configuration data, which may be indicative of a destructive attack or ransomware activity aimed at inhibiting system recovery by disabling error recovery or ignoring boot failures.","title":"Detection of Bcdedit Boot Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-bcdedit-boot-config-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","application","deletion","impact","t1489"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where an application is deleted within an Azure environment. While legitimate application deletions occur as part of IT administration, malicious actors might delete applications to disrupt services, remove evidence of their presence, or prepare for a larger attack by removing security controls or access points. This activity is logged within Azure Activity Logs and includes events such as \u0026ldquo;Delete application\u0026rdquo; and \u0026ldquo;Hard Delete application\u0026rdquo;. Monitoring these events can provide early warning of potential security incidents or compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates their privileges within the Azure environment to gain sufficient permissions to manage and delete applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies target applications for deletion, potentially those critical for business operations or those used for security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Monitoring (Optional):\u003c/strong\u003e The attacker attempts to disable logging or monitoring related to application management to avoid detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Deletion:\u003c/strong\u003e The attacker initiates the deletion of the targeted application using the Azure portal, Azure CLI, or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfirmation/Hard Delete:\u003c/strong\u003e Depending on the application\u0026rsquo;s configuration and Azure policies, the attacker may need to confirm the deletion or perform a \u0026ldquo;hard delete\u0026rdquo; to permanently remove the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCover Tracks:\u003c/strong\u003e The attacker attempts to remove any remaining logs or traces of their activity to hinder forensic investigation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Service disruption or data loss due to the deleted application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an Azure application can lead to significant service disruption, data loss, and potential financial damages. The impact depends on the criticality of the deleted application and the organization\u0026rsquo;s disaster recovery capabilities. Successful deletion can interrupt business processes, impacting both internal users and external customers. It may also lead to reputational damage and compliance violations if the application handled sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect application deletion events in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions in Azure Active Directory (Entra ID) and enforce the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eEnable auditing and logging for all Azure resources, including application management activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected application deletion events promptly to determine the root cause and potential impact.\u003c/li\u003e\n\u003cli\u003eEstablish a process for reviewing and approving application deletion requests to prevent accidental or malicious deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:27:00Z","date_published":"2024-01-03T15:27:00Z","id":"/briefs/2024-01-azure-app-deletion/","summary":"This alert identifies when an application is deleted within an Azure environment, which could indicate malicious activity or unintended misconfiguration leading to service disruption.","title":"Detection of Azure Application Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-app-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["impact","backup-deletion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers, including ransomware groups, often attempt to remove or impair an organization\u0026rsquo;s ability to recover from an attack. One method to achieve this is by deleting Windows backup catalogs and system state backups using the \u003ccode\u003ewbadmin.exe\u003c/code\u003e utility. Windows Server Backup stores details about backups (what volumes are backed up and where the backups are located) in a backup catalog. Removing these catalogs renders backups unusable for recovery, increasing the impact of the attack. This technique is frequently observed in ransomware playbooks and other destructive attacks targeting Windows environments. This activity can be detected using endpoint detection and response (EDR) solutions, Windows Security Event Logs, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to administrator level to execute wbadmin.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003edelete catalog\u003c/code\u003e command to remove backup catalogs.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003edelete systemstatebackup\u003c/code\u003e command to remove system state backups.\u003c/li\u003e\n\u003cli\u003eThe attacker may also delete shadow copies using \u003ccode\u003evssadmin.exe\u003c/code\u003e or \u003ccode\u003ewmic.exe\u003c/code\u003e to further hinder recovery.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware or initiates other destructive actions.\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts or destroys data on the system and connected network shares.\u003c/li\u003e\n\u003cli\u003eThe attacker demands a ransom payment for data recovery, which is complicated by the deleted backups.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of backup catalogs and system state backups significantly impairs an organization\u0026rsquo;s ability to recover from a ransomware attack or other destructive event. This can lead to prolonged downtime, data loss, and financial losses associated with incident response and recovery efforts. While the number of direct victims of this specific technique is difficult to quantify, the impact is typically observed in conjunction with broader ransomware campaigns affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging with Event ID 1 to capture \u003ccode\u003ewbadmin.exe\u003c/code\u003e executions and activate the first Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for process creation events related to \u003ccode\u003ewbadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003ewbadmin.exe\u003c/code\u003e executing with \u003ccode\u003edelete\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eReview and harden account access controls to prevent unauthorized use of \u003ccode\u003ewbadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-wbadmin-backup-deletion/","summary":"Adversaries may delete Windows backup catalogs and system state backups using wbadmin.exe to inhibit system recovery, often as part of ransomware or other destructive attacks.","title":"Windows Backup Deletion via Wbadmin","url":"https://feed.craftedsignal.io/briefs/2024-01-wbadmin-backup-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["impact","t1490","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable the Windows System Restore feature to prevent victims from easily reverting their systems to a clean state after an infection or other malicious activity. This action complicates incident response and remediation efforts, forcing more complex and time-consuming recovery procedures. Disabling system restore is often performed post-compromise to ensure persistence and hinder forensic analysis. This technique can be implemented manually through the registry editor or via automated scripts, making it accessible to a wide range of threat actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through various methods (e.g., phishing, exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to Administrator or SYSTEM.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker targets the \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker targets the \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the value of the targeted registry key to \u003ccode\u003eDWORD:00000001\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the System Restore feature is disabled.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, knowing that recovery is hindered.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling System Restore can significantly impede recovery efforts following a cyber incident. Organizations may face longer downtimes and increased costs associated with manual system reimaging or advanced forensic analysis. The absence of readily available restore points can also lead to data loss if systems are severely damaged or encrypted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Disable System Restore\u003c/code\u003e to your SIEM to detect malicious attempts to disable System Restore via registry modification.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications related to System Restore configurations, focusing on the keys \u003ccode\u003e\\Policies\\Microsoft\\Windows NT\\SystemRestore\u003c/code\u003e and \u003ccode\u003e\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\u003c/code\u003e, and values set to \u003ccode\u003eDWORD (0x00000001)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to prevent unauthorized modification of registry settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-disable-system-restore/","summary":"Attackers disable Windows System Restore by modifying specific registry keys to hinder recovery efforts after malicious activity.","title":"Windows System Restore Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-disable-system-restore/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious remote password resets targeting potentially privileged accounts on Windows systems. Attackers may attempt to reset passwords to maintain unauthorized access, evade password duration policies, or preserve compromised credentials. The rule focuses on network logins followed by password reset actions, specifically targeting privileged accounts to reduce false positives. The rule leverages Windows Security Event Logs to detect successful network logins and subsequent password reset events. The goal is to detect anomalous password reset activities that could indicate malicious activity. The rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the network (e.g., through credential theft or phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts a network login to a Windows system, generating a 4624 event with logon type \u0026ldquo;Network\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe system logs a successful authentication event (event ID 4624) with a network logon type.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privileged account, such as an administrator account or a service account with elevated permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset for the privileged account.\u003c/li\u003e\n\u003cli\u003eA password reset event (event ID 4724) is triggered, indicating that a password has been reset.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the reset password to maintain persistent access to the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions using the compromised privileged account, potentially leading to data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful password resets of privileged accounts can lead to significant security breaches. Attackers can maintain persistent access, escalate privileges, and move laterally within the network. This can result in data theft, system compromise, and disruption of services. If successful, attackers can potentially gain control over critical systems and data, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Windows audit policies for \u0026ldquo;Audit Logon\u0026rdquo; and \u0026ldquo;Audit User Account Management\u0026rdquo; to generate the necessary events for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Remote Password Reset of Privileged Account\u0026rdquo; to your SIEM and tune it to your environment, excluding legitimate administrative accounts and processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the source IP address and the target account to determine if the password reset was authorized.\u003c/li\u003e\n\u003cli\u003eMonitor for Event ID 4724 (Account Password Reset) in conjunction with network login events to identify suspicious password reset activity.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and privileged account management policies to prevent similar incidents in the future, as mentioned in the overview section.\u003c/li\u003e\n\u003cli\u003eCreate exceptions for known IT personnel or service accounts that legitimately perform remote password resets, as detailed in the false positive analysis section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:30:00Z","date_published":"2024-01-02T15:30:00Z","id":"/briefs/2024-01-remote-password-reset/","summary":"The rule detects attempts to reset potentially privileged account passwords remotely, a tactic used by adversaries to maintain access, evade password policies, and preserve compromised credentials.","title":"Account Password Reset Remotely","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-password-reset/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["impact","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a suspicious pattern of rapid process and service terminations on a Windows host. Attackers commonly stop services and kill processes to disable security tools, release file locks for encryption, or disrupt normal system operations. The rule specifically looks for multiple instances of termination-related commands executed via \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003esc.exe\u003c/code\u003e, or \u003ccode\u003etaskkill.exe\u003c/code\u003e within a short timeframe. This activity can be indicative of an attacker preparing a system for ransomware deployment or attempting to evade defenses. The detection focuses on Windows systems, leveraging process monitoring logs. This behavior aligns with tactics used to impair defenses and achieve significant impact on compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Windows host (e.g., through phishing or exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain necessary permissions to terminate processes and services.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003enet.exe\u003c/code\u003e to stop specific services, such as backup solutions or security software.\u003c/li\u003e\n\u003cli\u003eThe attacker employs \u003ccode\u003esc.exe\u003c/code\u003e to delete services, preventing them from restarting automatically.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes \u003ccode\u003etaskkill.exe\u003c/code\u003e with flags like \u003ccode\u003e/F\u003c/code\u003e, \u003ccode\u003e/IM\u003c/code\u003e, or \u003ccode\u003e/PID\u003c/code\u003e to forcefully terminate processes.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats these steps, rapidly terminating multiple processes and services.\u003c/li\u003e\n\u003cli\u003eThe attacker prepares the system for ransomware deployment by disabling security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware, encrypting data and demanding a ransom for its recovery.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to disruption of critical services, disabling of security controls, and potential data loss. If an attacker successfully terminates security solutions, they can significantly increase the likelihood of successful ransomware deployment or data exfiltration. The impact can range from temporary service outages to complete system compromise and data encryption, resulting in financial losses, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eHigh Number of Process Terminations via Taskkill\u003c/code\u003e and \u003ccode\u003eHigh Number of Service Terminations via SC\u003c/code\u003e Sigma rules to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the rules, focusing on the processes terminated and the user accounts involved.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to ensure the rules have sufficient data to function effectively.\u003c/li\u003e\n\u003cli\u003eReview the references provided to understand attacker techniques and improve detection strategies.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the lateral movement of attackers.\u003c/li\u003e\n\u003cli\u003eRegularly review and update security policies to prevent unauthorized process termination.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-high-process-termination/","summary":"A high number of process terminations (stop, delete, or suspend) from the same Windows host within a short time period may indicate malicious activity such as an attacker attempting to disable security measures or prepare for ransomware deployment.","title":"High Number of Process and/or Service Terminations Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-high-process-termination/"}],"language":"en","title":"CraftedSignal Threat Feed — Impact","version":"https://jsonfeed.org/version/1.1"}