{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lateral-movement/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kubernetes","kubelet","lateral-movement","discovery","execution","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential direct Kubelet API access attempts on Linux systems. The Kubelet, acting as the primary node agent, exposes an API accessible via ports 10250 and 10255. Attackers may exploit this API to enumerate pods, fetch logs, or even attempt remote execution. This access can lead to significant breaches in Kubernetes environments, facilitating discovery, lateral movement, and ultimately, compromise of sensitive data or control over cluster resources. The detection focuses on identifying process executions where the command-line arguments contain URLs targeting these Kubelet ports, indicating a potential attempt to interact with the Kubelet API directly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the Kubernetes cluster or a host with network access to the Kubelet ports.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or similar tools to craft an HTTP request targeting the Kubelet API on ports 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe request includes a path like \u003ccode\u003e/pods\u003c/code\u003e, \u003ccode\u003e/runningpods\u003c/code\u003e, \u003ccode\u003e/metrics\u003c/code\u003e, \u003ccode\u003e/exec\u003c/code\u003e, or \u003ccode\u003e/containerLogs\u003c/code\u003e to gather information about the cluster\u0026rsquo;s state and configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker examines the response to identify potential targets for lateral movement, such as specific pods or containers of interest.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute commands within a container using the \u003ccode\u003e/exec\u003c/code\u003e endpoint, potentially leveraging exposed service account tokens or other credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses gathered information to move laterally to other pods or nodes within the cluster, escalating privileges as they go.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises sensitive data or critical applications running within the Kubernetes cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to full cluster compromise. Attackers can gain unauthorized access to sensitive data, disrupt critical applications, and move laterally to other resources within the Kubernetes environment. This could lead to significant financial losses, reputational damage, and legal liabilities. The potential impact includes data breaches, denial of service, and complete control over the Kubernetes infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubelet API Access via Process Arguments\u003c/code\u003e to your SIEM to detect suspicious process executions.\u003c/li\u003e\n\u003cli\u003eRestrict access to Kubelet ports 10250/10255 at the network layer to limit pod-to-node or host-to-node traffic as recommended in the overview section.\u003c/li\u003e\n\u003cli\u003eHarden Kubelet configuration by disabling anonymous authentication and enforcing webhook authentication/authorization as described in the overview section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:18:23Z","date_published":"2026-05-04T21:18:23Z","id":"/briefs/2024-01-09-kubelet-access/","summary":"This rule detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain URLs targeting Kubelet ports (10250/10255) enabling discovery and lateral movement in Kubernetes environments.","title":"Potential Direct Kubelet API Access via Process Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kubelet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Server Update Services"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wsus","psexec","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of Windows Server Update Services (WSUS) for lateral movement by executing PsExec. WSUS is designed to manage updates for Microsoft products, ensuring only signed binaries are executed. Attackers can exploit this by using WSUS to distribute and execute Microsoft-signed tools like PsExec, which can then be used to move laterally within the network. This technique leverages the trust relationship inherent in WSUS to bypass security controls. The rule focuses on detecting suspicious processes initiated by \u003ccode\u003ewuauclt.exe\u003c/code\u003e (the Windows Update client) executing PsExec from the SoftwareDistribution Download Install directories. Defenders should monitor WSUS activity and PsExec executions to detect and respond to this potential threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the WSUS server or performs a man-in-the-middle attack to spoof WSUS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised WSUS server to approve a malicious update containing PsExec.\u003c/li\u003e\n\u003cli\u003eThe WSUS client (\u003ccode\u003ewuauclt.exe\u003c/code\u003e) on targeted machines downloads the \u0026ldquo;approved\u0026rdquo; update from the WSUS server, placing PsExec in the \u003ccode\u003eC:\\Windows\\SoftwareDistribution\\Download\\Install\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe WSUS client executes PsExec.\u003c/li\u003e\n\u003cli\u003ePsExec is used to execute commands or transfer files to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised systems to gather credentials or move laterally to other high-value targets.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve lateral movement within the network, leading to the compromise of additional systems and sensitive data. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the level of access achieved by the attacker and the value of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWSUS PsExec Execution\u003c/code\u003e to detect potential WSUS abuse involving PsExec execution.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to gain visibility into process executions, as referenced in the \u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for WSUS activities to detect unauthorized changes or updates.\u003c/li\u003e\n\u003cli\u003eInvestigate and remove any unauthorized binaries found in the \u003ccode\u003eC:\\Windows\\SoftwareDistribution\\Download\\Install\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eReview and restrict the accounts authorized to manage WSUS to prevent unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-wsus-psexec/","summary":"Adversaries may exploit Windows Server Update Services (WSUS) to execute PsExec for lateral movement within a network by abusing the trusted update mechanism to run signed binaries.","title":"Potential WSUS Abuse for Lateral Movement via PsExec","url":"https://feed.craftedsignal.io/briefs/2024-07-wsus-psexec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePass-the-Hash (PtH) is a technique where attackers leverage stolen password hashes to authenticate and move laterally within a Windows environment, bypassing standard system access controls. Instead of needing the plaintext password, adversaries use a hash of the password to authenticate to a remote service or server. This detection rule focuses on identifying potential PtH attempts by monitoring for successful logins using specific user IDs (S-1-5-21-* or S-1-12-1-*) and the \u003ccode\u003eseclogo\u003c/code\u003e logon process, which is commonly associated with credential theft and misuse. The rule aims to detect anomalous authentication patterns indicating that an attacker is using PtH to gain unauthorized access to systems. This is important because successful PtH attacks can lead to widespread compromise of sensitive data and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker dumps password hashes from the compromised system using tools like Mimikatz.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen password hash to authenticate to the target system using the \u003ccode\u003eseclogo\u003c/code\u003e logon process.\u003c/li\u003e\n\u003cli\u003eWindows validates the hash, granting the attacker access without requiring the plaintext password.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates with the stolen credentials and a user ID matching the pattern S-1-5-21-* or S-1-12-1-*.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their unauthorized access to move laterally to other systems or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Pass-the-Hash attacks can lead to significant damage, including unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Organizations can experience financial losses, reputational damage, and operational disruptions. While the specific number of victims is not stated, PtH is a common technique used in many breaches, potentially affecting any organization that relies on Windows authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary Windows Security Event Logs as referenced in the setup instructions \u003ca href=\"https://ela.st/audit-logon\"\u003ehttps://ela.st/audit-logon\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to your SIEM to detect potential Pass-the-Hash attempts. Tune the rule to account for legitimate uses of the \u003ccode\u003eseclogo\u003c/code\u003e logon process.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on correlating the successful authentication events with other security logs to identify any lateral movement or access to sensitive systems.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and permissions for the affected accounts to ensure they adhere to the principle of least privilege after an incident, as detailed in the Response and Remediation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-potential-pth/","summary":"This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.","title":"Potential Pass-the-Hash (PtH) Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-potential-pth/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled (set to 1), allows remote connections from local members of the Administrators group to be granted full high-integrity tokens during negotiation. This bypasses User Account Control (UAC) restrictions, allowing for elevated privileges remotely. Attackers may modify this registry setting to facilitate lateral movement within a network. This rule detects modifications to this specific registry setting, alerting on potential unauthorized changes that could lead to defense evasion and privilege escalation. The modification of this policy has been observed being leveraged in conjunction with pass-the-hash attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains local administrator credentials on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the LocalAccountTokenFilterPolicy registry key to a value of 1. This is done to allow remote connections from local administrator accounts to receive high-integrity tokens. The registry key is typically located at \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a \u0026ldquo;pass the hash\u0026rdquo; attack (T1550.002) using the compromised local administrator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the \u0026ldquo;pass the hash\u0026rdquo; technique and the modified LocalAccountTokenFilterPolicy.\u003c/li\u003e\n\u003cli\u003eDue to the LocalAccountTokenFilterPolicy being enabled, the remote connection from the local administrator account receives a full high-integrity token.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses UAC on the remote system, gaining elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities on the remote system, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the LocalAccountTokenFilterPolicy allows attackers to bypass User Account Control (UAC) and gain elevated privileges on remote systems, potentially leading to unauthorized access to sensitive data, lateral movement across the network, and the deployment of ransomware. The overall impact can include data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized modifications to the LocalAccountTokenFilterPolicy registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the registry, which is required for the \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule query and ensure they are legitimate and necessary to prevent false positives.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e path, specifically looking for changes to the value data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-02-local-account-token-filter-policy-disabled/","summary":"Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.","title":"Local Account TokenFilter Policy Modification for Defense Evasion and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-02-local-account-token-filter-policy-disabled/"},{"_cs_actors":["UNC6692"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Teams","Chromium"],"_cs_severities":["high"],"_cs_tags":["social-engineering","malware","cloud-abuse","credential-theft","lateral-movement"],"_cs_type":"threat","_cs_vendors":["Microsoft","Google","Amazon"],"content_html":"\u003cp\u003eUNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target\u0026rsquo;s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group\u0026rsquo;s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker floods a target\u0026rsquo;s email inbox to create a sense of urgency.\u003c/li\u003e\n\u003cli\u003eThe attacker contacts the target via Microsoft Teams, impersonating help desk personnel.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.\u003c/li\u003e\n\u003cli\u003eThe target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.\u003c/li\u003e\n\u003cli\u003eExecution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.\u003c/li\u003e\n\u003cli\u003eSNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T14:00:00Z","date_published":"2026-04-28T14:00:00Z","id":"/briefs/2026-04-unc6692-social-engineering/","summary":"UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.","title":"UNC6692 Combines Social Engineering, Malware, and Cloud Abuse","url":"https://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","GitHub Actions"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","github","credential-theft","initial-access","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon","Microsoft","Google"],"content_html":"\u003cp\u003eThis threat involves the unauthorized use of AWS credentials stolen from GitHub Actions secrets. Attackers exfiltrate these credentials and use them from their own infrastructure, bypassing the intended CI/CD environment. The activity is detected by observing AWS access keys appearing in CloudTrail logs originating from both legitimate GitHub Actions runners (identified by Microsoft ASN or the \u003ccode\u003egithub-actions\u003c/code\u003e user agent string) and suspicious infrastructure outside the expected CI/CD provider ASNs (Amazon, Google, Microsoft). This indicates a breach of GitHub repository or organization secrets, leading to potential unauthorized access and control over AWS resources. This activity can begin with compromised Github accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository or organization with AWS credentials stored as secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the AWS access key ID and secret access key, either manually or through automated means, such as modifying a GitHub Action workflow to expose the secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the stolen AWS credentials on their own infrastructure, using tools like the AWS CLI or boto3.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to AWS using the stolen credentials. This generates CloudTrail logs with the attacker\u0026rsquo;s source IP address and ASN.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eDescribeInstances\u003c/code\u003e, or \u003ccode\u003eListUsers\u003c/code\u003e, to understand the AWS environment and identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally within the AWS environment by exploiting the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker may create, modify, or delete AWS resources, such as EC2 instances, S3 buckets, or IAM roles, depending on the permissions associated with the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to unauthorized access to AWS resources, potentially resulting in data breaches, service disruptions, or financial losses. The impact depends on the permissions associated with the stolen AWS credentials. A single compromised credential could expose sensitive data, disrupt critical services, or allow attackers to deploy malicious infrastructure within the victim\u0026rsquo;s AWS environment. Identifying and responding to this threat quickly is vital to minimize damages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure\u0026rdquo; to your SIEM and tune for your environment to detect suspicious usage patterns.\u003c/li\u003e\n\u003cli\u003eRotate the compromised AWS access key in IAM immediately and update the corresponding GitHub repository/organization secret as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement OIDC-based authentication (\u003ccode\u003eaws-actions/configure-aws-credentials\u003c/code\u003e with \u003ccode\u003erole-to-assume\u003c/code\u003e) instead of long-lived access keys as mentioned in the rule documentation.\u003c/li\u003e\n\u003cli\u003eIf using OIDC, add IP condition policies to the IAM role trust policy to restrict \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e to known GitHub runner IP ranges, based on the information in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:45:55Z","date_published":"2026-04-22T17:45:55Z","id":"/briefs/2024-01-aws-github-actions-credential-theft/","summary":"Attackers are stealing AWS credentials configured as GitHub Actions secrets and using them from non-CI/CD infrastructure, indicating potential credential theft and unauthorized access to AWS resources.","title":"AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-github-actions-credential-theft/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["macos","lotl","lateral-movement","execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWith macOS adoption growing in enterprise environments, particularly among developers and DevOps teams, it has become an attractive target for malicious actors. This report highlights the under-documented \u0026ldquo;living-off-the-land\u0026rdquo; (LOTL) techniques specific to macOS. Attackers are exploiting native features like Remote Application Scripting (RAS) to achieve remote execution and are abusing Spotlight metadata (Finder comments) for payload staging, evading traditional static file analysis. Additionally, attackers can use built-in protocols such as SMB, Netcat, Git, TFTP, and SNMP to establish persistence and move toolkits. Defenders should shift their focus from static file scanning to monitoring process lineage, inter-process communication (IPC) anomalies, and enforcing strict MDM policies to disable unnecessary administrative services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a macOS system, possibly through spearphishing or exploiting a vulnerability in a network service (details of initial access aren\u0026rsquo;t specified in the provided document but is a necessary assumption for the rest of the chain).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses native tools to enumerate the environment, such as \u003ccode\u003ediskutil list\u003c/code\u003e to identify connected volumes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to access stored credentials, SSH keys, or cloud credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (RAS):\u003c/strong\u003e The attacker leverages Remote Application Scripting (RAS) to remotely query Finder for mounted volumes using \u003ccode\u003eosascript -e 'tell application \u0026quot;Finder\u0026quot; to get the name of every disk' eppc://user:password@target_ip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Execution (RAS):\u003c/strong\u003e The attacker uses RAS and Terminal.app as an execution proxy to bypass Apple\u0026rsquo;s security restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Deployment (RAS/Base64):\u003c/strong\u003e The attacker encodes a malicious script using Base64 and uses RAS to instruct the remote Terminal.app to decode the script to a temporary file and make it executable using \u003ccode\u003echmod +x\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Invocation (RAS/bash):\u003c/strong\u003e The attacker uses a second RAS command to explicitly invoke the deployed script via bash, ensuring a proper shell context.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (SMB/Netcat/Git/TFTP/SNMP):\u003c/strong\u003e The attacker utilizes built-in protocols such as SMB, Netcat, Git, TFTP, or SNMP to establish persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these LOTL techniques allows attackers to bypass traditional security controls on macOS systems, leading to unauthorized access to sensitive data, source code repositories, and cloud infrastructure. With over 45% of organizations utilizing macOS, these attacks can result in significant financial losses, reputational damage, and disruption of business operations. Compromised developer or DevOps workstations can be leveraged as pivot points to further compromise production environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eosascript\u003c/code\u003e executing with the \u003ccode\u003eeppc://\u003c/code\u003e URI to detect potential RAS-based lateral movement (see Sigma rule \u0026ldquo;Detect Remote Apple Event Lateral Movement\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor process creation for \u003ccode\u003eTerminal.app\u003c/code\u003e executing \u003ccode\u003ebash\u003c/code\u003e with command-line arguments indicative of Base64 decoding and execution to identify RAS-based remote execution attempts (see Sigma rule \u0026ldquo;Detect Terminal.app as Execution Proxy\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement strict MDM policies to disable unnecessary administrative services and protocols like Remote Apple Events to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor inter-process communication (IPC) anomalies, particularly involving \u003ccode\u003eAppleEventsD\u003c/code\u003e, to identify suspicious activity related to RAS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the process lineage and command-line arguments necessary for the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T10:01:16Z","date_published":"2026-04-21T10:01:16Z","id":"/briefs/2026-04-bad-apples-macos-lotl/","summary":"Adversaries are increasingly targeting macOS environments, leveraging native tools like Remote Application Scripting (RAS) and Spotlight metadata to bypass security controls for remote code execution and lateral movement.","title":"Bad Apples: Weaponizing Native macOS Primitives for Lateral Movement and Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-bad-apples-macos-lotl/"},{"_cs_actors":["BRICKSTORM"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["vsphere","virtualization","brickstorm","persistence","lateral-movement"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe BRICKSTORM campaign targets VMware vSphere environments, with a focus on the vCenter Server Appliance (VCSA) and ESXi hypervisors. This campaign, building on previous BRICKSTORM research, highlights the increasing threats targeting virtualized infrastructure. By gaining persistence at the virtualization layer, attackers bypass traditional security measures, such as endpoint detection and response (EDR) agents, which are often ineffective in these environments. The attackers exploit weak security architectures, identity design flaws, lack of host-based configuration enforcement, and limited visibility within the virtualization layer. This allows them to maintain long-term persistence and gain administrative control over the entire vSphere environment, making the VCSA a prime target due to its centralized control. This activity is not due to vendor vulnerabilities but rather misconfigurations and security gaps. vSphere 7 reached End of Life (EoL) in October 2025, so organizations using this version are at increased risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the vSphere environment, potentially through compromised credentials or vulnerabilities in externally facing services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVCSA Compromise:\u003c/strong\u003e The attacker targets the vCenter Server Appliance (VCSA) to gain centralized control over the vSphere environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges within the VCSA to gain root or administrative access to the underlying Photon Linux OS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by modifying system files or creating malicious services that survive reboots. This may involve writing scripts to \u003ccode\u003e/etc/rc.local.d\u003c/code\u003e or modifying startup files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised VCSA to move laterally to other ESXi hosts and virtual machines within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses the underlying storage (VMDKs) of virtual machines, bypassing operating system permissions and traditional file system security, to exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eControl of ESXi Hosts:\u003c/strong\u003e The attacker resets root credentials on any managed ESXi host, providing full control of the hypervisor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker can power off, delete, or reconfigure any virtual machine, encrypt datastores, disable virtual networks, and exfiltrate data. The ultimate objective could be data theft, disruption of services, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful BRICKSTORM attack can have severe consequences, including complete compromise of the vSphere environment. This can lead to data exfiltration of Tier-0 assets, disruption of critical services (such as domain controllers), and potential ransomware deployment across all virtual machines. Organizations may face significant financial losses, reputational damage, and legal liabilities. The lack of command-line logging on the Photon OS shell further hinders incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHarden the vCenter Server Appliance (VCSA) by implementing the security configurations recommended in the Mandiant vCenter Hardening Script (reference: vCenter Hardening Script link in Overview).\u003c/li\u003e\n\u003cli\u003eImplement logging and monitoring for the Photon OS shell to detect unauthorized access and command execution (reference: Phase 4 in Content).\u003c/li\u003e\n\u003cli\u003eUpgrade to a supported version of vSphere to receive critical security patches (reference: vSphere 7 End of Life in Content).\u003c/li\u003e\n\u003cli\u003eEnable Secure Boot, strictly firewall management interfaces, and disable shell access on ESXi hosts and the VCSA (reference: Technical Hardening in Content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect modifications to startup files for persistence on Photon OS (reference: Sigma rule: \u0026ldquo;Detect Startup File Modification in Photon OS\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:55:05Z","date_published":"2026-04-02T13:55:05Z","id":"/briefs/2026-04-brickstorm-vsphere/","summary":"The BRICKSTORM malware targets VMware vSphere environments, specifically vCenter Server Appliance (VCSA) and ESXi hypervisors, by exploiting weak security configurations to establish persistence at the virtualization layer, leading to administrative control and potential data exfiltration.","title":"BRICKSTORM Malware Targeting VMware vSphere Environments","url":"https://feed.craftedsignal.io/briefs/2026-04-brickstorm-vsphere/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["container","persistence","lateral-movement","privilege-escalation","ssh"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection focuses on identifying malicious actors who modify SSH authorized_keys files inside containers to gain unauthorized access. SSH authorized keys are used for public key authentication, and modification of these files allows attackers to maintain persistence or move laterally within a containerized environment. The rule specifically looks for file creation and modification events of authorized_keys files within Linux-based containers. Introduced as part of the Defend for Containers integration in Elastic Stack version 9.3.0, this detection is crucial because unauthorized SSH access can lead to significant compromise within cloud environments and containerized workloads. Defenders need to be aware of unexpected SSH key modifications as indicators of compromise inside containerized environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, possibly through a software vulnerability or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands within the container to locate the SSH authorized_keys file (typically located at \u003ccode\u003e/home/\u0026lt;user\u0026gt;/.ssh/authorized_keys\u003c/code\u003e or \u003ccode\u003e/root/.ssh/authorized_keys\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the authorized_keys file, adding their own SSH public key to the file using commands like \u003ccode\u003eecho \u0026quot;ssh-rsa AAAAB3Nz...\u0026quot; \u0026gt;\u0026gt; /root/.ssh/authorized_keys\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly added SSH key to authenticate and log into the container without needing a password.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the SSH session to execute further commands, potentially escalating privileges or moving laterally to other containers or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring their SSH key remains in the authorized_keys file, allowing them to re-access the container at any time.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the authorized_keys file enables persistent, unauthorized SSH access to the compromised container. This can lead to lateral movement within the container environment, privilege escalation, data exfiltration, or further attacks on other systems. The rule aims to detect these modifications early, preventing significant damage. While the number of specific victims isn\u0026rsquo;t stated, a successful attack targeting containers can affect critical cloud infrastructure and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized modifications of SSH authorized_keys files within containers (rule: \u003ccode\u003eSSH Authorized Key File Activity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eElastic Defend for Containers\u003c/code\u003e integration (minimum version 9.3.0) to provide the necessary file event data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process and user context of the file modifications, as outlined in the rule\u0026rsquo;s description (rule: \u003ccode\u003eSSH Authorized Key File Activity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and monitoring on SSH usage within containers to prevent similar incidents in the future, as recommended in the incident response section.\u003c/li\u003e\n\u003cli\u003eCreate exceptions for known update processes or deployment scripts that regularly alter these files to reduce false positives, as suggested in the false positive analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-ssh-authorized-keys-modification-inside-a-container/","summary":"The rule detects the creation or modification of an authorized_keys file inside a container, a technique used by adversaries to maintain persistence on a victim host by adding their own public key(s) to enable unauthorized SSH access for lateral movement or privilege escalation.","title":"SSH Authorized Key File Modification Inside a Container","url":"https://feed.craftedsignal.io/briefs/2026-04-ssh-authorized-keys-modification-inside-a-container/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wmi","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe information describes a lateral movement technique leveraging Windows Management Instrumentation (WMI) using a tool named StealthyWMIExec.py. This tool aims to provide a \u0026ldquo;stealthy\u0026rdquo; approach to executing commands on remote systems. The original post on Reddit\u0026rsquo;s blueteamsec forum, dating back to March 2026, discusses a method for achieving lateral movement while potentially bypassing traditional security monitoring that focuses on standard command execution patterns. Defenders should consider that adversaries might try to use WMI for command execution to blend in with legitimate activity and evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system within the target network.\u003c/li\u003e\n\u003cli\u003eAttacker uses valid credentials or exploits a vulnerability to authenticate to a remote host.\u003c/li\u003e\n\u003cli\u003eAttacker uses the StealthyWMIExec.py script (or similar WMI-based execution tool).\u003c/li\u003e\n\u003cli\u003eThe script establishes a WMI connection to the target machine.\u003c/li\u003e\n\u003cli\u003eThe script executes commands on the remote host using WMI\u0026rsquo;s \u003ccode\u003eWin32_Process\u003c/code\u003e class.\u003c/li\u003e\n\u003cli\u003eThe output of the executed command is retrieved via WMI.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the information obtained to further compromise the network or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via WMI-based lateral movement can lead to the compromise of multiple systems within a network. This can lead to data exfiltration, ransomware deployment, or other malicious activities, depending on the attacker\u0026rsquo;s objectives. The use of \u0026ldquo;stealthy\u0026rdquo; techniques may allow attackers to remain undetected for longer periods, increasing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor WMI event logs (Event ID 5861, 5857, 5858, 5859) for suspicious WMI activity indicative of lateral movement.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided to detect unusual WMI process creation and script execution.\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs (Sysmon Event ID 1) with command-line arguments to identify suspicious WMI activity.\u003c/li\u003e\n\u003cli\u003eRestrict WMI access to authorized users and systems only to limit the attack surface for this technique.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T19:03:04Z","date_published":"2026-03-16T19:03:04Z","id":"/briefs/2024-05-stealthy-wmi-exec/","summary":"The StealthyWMIExec.py script facilitates lateral movement via WMI, potentially evading standard detection mechanisms by employing stealthy techniques.","title":"Stealthy WMI Lateral Movement via StealthyWMIExec.py","url":"https://feed.craftedsignal.io/briefs/2024-05-stealthy-wmi-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["aws","privilege-escalation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies when an IAM user assumes a role in AWS Security Token Service (STS) within an AWS environment. The AWS Security Token Service (STS) allows users to request temporary, limited-privilege credentials for accessing AWS resources. While legitimate role assumption is common for authorized access, adversaries can abuse this mechanism to escalate privileges or move laterally within a compromised AWS account. This behavior is detected by monitoring AWS CloudTrail logs for \u003ccode\u003eAssumeRole\u003c/code\u003e events from IAM users. The rule focuses on identifying potentially malicious role assumptions by correlating the user identity, assumed role, and source information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account as an IAM user, potentially through compromised credentials or an exposed access key.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available IAM roles within the AWS environment to identify roles with elevated privileges or access to sensitive resources.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003eAssumeRole\u003c/code\u003e API in AWS STS, requesting temporary credentials for the target role, using a \u003ccode\u003eroleSessionName\u003c/code\u003e for context.\u003c/li\u003e\n\u003cli\u003eThe STS service validates the request and, if authorized, issues temporary credentials consisting of an \u003ccode\u003eaccessKeyId\u003c/code\u003e, \u003ccode\u003esecretAccessKey\u003c/code\u003e, and \u003ccode\u003esessionToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker configures their AWS CLI or SDK with the temporary credentials obtained from the STS service.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the temporary credentials to access AWS resources and perform actions permitted by the assumed role, such as modifying security groups, accessing S3 buckets, or launching EC2 instances.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to further escalate privileges by assuming additional roles or creating new IAM users with administrative privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful role assumption can grant an attacker access to sensitive data, allow them to disrupt critical services, or provide a foothold for further attacks within the AWS environment. While this rule has a low severity, a high volume of alerts should be reviewed as it could indicate ongoing lateral movement and privilege escalation. The impact of a successful attack can range from data breaches and service disruptions to complete compromise of the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM and tune for your environment to detect suspicious role assumptions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule by reviewing the associated CloudTrail logs, specifically the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring for high-risk roles with elevated permissions, and create exceptions for trusted patterns.\u003c/li\u003e\n\u003cli\u003eRegularly review IAM policies and roles to minimize the risk of privilege escalation.\u003c/li\u003e\n\u003cli\u003eRefer to the AWS STS documentation for more details on managing and securing AWS STS in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-04T18:01:49Z","date_published":"2026-03-04T18:01:49Z","id":"/briefs/2026-03-aws-sts-role-assumption/","summary":"Detection of a user assuming a role in AWS Security Token Service (STS) to obtain temporary credentials, which can indicate privilege escalation or lateral movement.","title":"AWS STS Role Assumption by User","url":"https://feed.craftedsignal.io/briefs/2026-03-aws-sts-role-assumption/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","lateral-movement","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePowercat is a PowerShell script that functions similarly to the traditional Netcat utility, allowing for network communication using TCP and UDP. Attackers can use Powercat to establish reverse shells, transfer files, and perform port scanning within a compromised environment. This activity is often employed during post-exploitation phases to maintain access and propagate further into the network. Defenders should be aware of PowerShell scripts invoking Powercat, especially in environments…\u003c/p\u003e\n","date_modified":"2024-11-04T14:27:00Z","date_published":"2024-11-04T14:27:00Z","id":"/briefs/2024-11-powercat-detection/","summary":"Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.","title":"Powercat PowerShell Implementation Detection","url":"https://feed.craftedsignal.io/briefs/2024-11-powercat-detection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","defense-impairment","bitbucket"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eThis brief focuses on the detection of unauthorized changes to Bitbucket\u0026rsquo;s global SSH settings. While the specific actor remains unknown, the modification of these settings is a significant security concern. The activity is detected via Bitbucket audit logs. Modification of global SSH settings can allow attackers to gain unauthorized access to repositories, potentially leading to code compromise, data breaches, or further lateral movement within the network. This activity is particularly important for organizations relying on Bitbucket for source code management and secure development workflows. The audit logs are the primary source of information, specifically focusing on events categorized as \u0026lsquo;Global administration\u0026rsquo; with the action \u0026lsquo;SSH settings changed\u0026rsquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Bitbucket account with administrative privileges, possibly through credential compromise or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Bitbucket web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the global SSH settings configuration page within the Bitbucket administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies global SSH settings, such as adding a new public key or changing authentication requirements.\u003c/li\u003e\n\u003cli\u003eBitbucket logs the \u0026lsquo;SSH settings changed\u0026rsquo; event in the audit logs under the \u0026lsquo;Global administration\u0026rsquo; category.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified SSH settings to clone repositories or push malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised code or data to move laterally within the organization\u0026rsquo;s network, targeting other systems and resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Bitbucket global SSH settings can allow unauthorized access to all repositories within the Bitbucket instance. This can lead to code theft, injection of malicious code, and data breaches. The impact may extend beyond the Bitbucket environment if the compromised code is deployed to production systems or used in other development processes. Organizations using Bitbucket for critical projects are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized changes to Bitbucket global SSH settings in the audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u0026ldquo;SSH settings changed\u0026rdquo; in the Bitbucket audit logs to determine the legitimacy of the changes.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all Bitbucket accounts, especially those with administrative privileges, to mitigate credential compromise as an initial access vector.\u003c/li\u003e\n\u003cli\u003eReview Bitbucket\u0026rsquo;s audit log configuration to ensure the \u0026ldquo;Advance\u0026rdquo; log level is enabled to capture the necessary audit events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-01T12:00:00Z","date_published":"2024-11-01T12:00:00Z","id":"/briefs/2024-11-bitbucket-ssh-change/","summary":"An attacker modifies Bitbucket global SSH settings to potentially enable unauthorized access and lateral movement.","title":"Bitbucket Global SSH Settings Changed","url":"https://feed.craftedsignal.io/briefs/2024-11-bitbucket-ssh-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenCanary"],"_cs_severities":["high"],"_cs_tags":["opencanary","honeypot","httpproxy","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Security Onion Solutions"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting malicious attempts to use an OpenCanary node as an HTTP proxy. OpenCanary is a low-interaction honeypot designed to detect intruders on a network. An attacker attempting to use an OpenCanary node as an HTTP proxy is a strong indicator of reconnaissance or lateral movement, as they are attempting to route their traffic through the honeypot. This activity is logged by OpenCanary and can be detected with appropriate monitoring. The default configuration of OpenCanary includes an HTTPPROXY service that listens for proxy requests. Defenders should monitor OpenCanary logs for event ID 7001, which indicates an attempted HTTP proxy login.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a network (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker performs network reconnaissance to identify potential targets, including the OpenCanary node.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to configure their system or tools to use the OpenCanary node as an HTTP proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker sends HTTP requests through the configured proxy, attempting to reach other systems on the network.\u003c/li\u003e\n\u003cli\u003eOpenCanary logs the attempted proxy connection with event ID 7001.\u003c/li\u003e\n\u003cli\u003eThe defender detects the suspicious HTTP proxy attempt in the OpenCanary logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful HTTP proxy attempt indicates that an attacker is actively exploring the network and attempting to move laterally. This could lead to further compromise of sensitive systems and data exfiltration. While the OpenCanary node itself is a honeypot and not a production asset, the detection of proxy attempts signals a breach and ongoing malicious activity within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eOpenCanary HTTPPROXY Login Attempt\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized proxy attempts on OpenCanary nodes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the source and target of the attempted proxy connection.\u003c/li\u003e\n\u003cli\u003eReview OpenCanary configuration to ensure that the HTTPPROXY service is properly configured and secured.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential lateral movement by attackers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T18:22:34Z","date_published":"2024-10-26T18:22:34Z","id":"/briefs/2024-10-opencanary-httpproxy/","summary":"Detection of attempted HTTP proxy use on an OpenCanary node, indicating potential reconnaissance or lateral movement by an attacker attempting to proxy another page.","title":"OpenCanary HTTPPROXY Login Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-10-opencanary-httpproxy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","data-exfiltration","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection leverages machine learning to identify unusual remote file sizes, a tactic often used during lateral movement. After gaining initial access, adversaries frequently aim to locate and exfiltrate valuable data. To avoid raising alarms with numerous small transfers, they may consolidate data into a single large file. This rule, built upon the Elastic Lateral Movement Detection integration, specifically uses the \u003ccode\u003elmd_high_file_size_remote_file_transfer_ea\u003c/code\u003e machine learning job. The integration requires the \u003ccode\u003ehost.ip\u003c/code\u003e field to be populated and Elastic Defend to be properly configured. This detection is critical for organizations seeking to identify and prevent data exfiltration attempts early in the attack lifecycle. The integration assets must be installed and file and Windows RDP process events collected by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains access to a host within the network, potentially through compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker performs reconnaissance to identify valuable data stores, network shares, and potential exfiltration targets.\u003c/li\u003e\n\u003cli\u003eCollection: The attacker gathers sensitive data from various sources within the compromised network. This data could include documents, databases, or other confidential information.\u003c/li\u003e\n\u003cli\u003eData Consolidation: To avoid detection, the attacker bundles the collected data into a single, large file. This could involve archiving, compression, or other methods of aggregation.\u003c/li\u003e\n\u003cli\u003eLateral Tool Transfer: The attacker uses remote services or tools to transfer the large file to a remote host within the network (T1570).\u003c/li\u003e\n\u003cli\u003eExfiltration Preparation: The attacker stages the large file on the remote host, preparing it for exfiltration outside the network.\u003c/li\u003e\n\u003cli\u003eExfiltration: The attacker initiates the transfer of the large file from the compromised network to an external destination, potentially using protocols like RDP.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker attempts to remove traces of the activity, such as deleting temporary files or logs, to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, potentially resulting in financial loss, reputational damage, and legal liabilities. The detection of unusual remote file sizes can help organizations identify and prevent data exfiltration attempts before they cause significant harm. Depending on the sensitivity of the exfiltrated data, the impact could range from minor inconvenience to a major security breach affecting thousands of individuals or customers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated as required by the rule. For Elastic Defend versions 8.18 and above, verify that host IP collection is enabled following the provided \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets, including the \u003ccode\u003elmd_high_file_size_remote_file_transfer_ea\u003c/code\u003e machine learning job. Follow the setup instructions detailed in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003edocumentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the anomaly threshold (\u003ccode\u003eanomaly_threshold = 70\u003c/code\u003e) of the machine learning job based on your environment\u0026rsquo;s baseline to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement, as suggested in the \u0026ldquo;Response and remediation\u0026rdquo; section of the rule documentation.\u003c/li\u003e\n\u003cli\u003eEnhance monitoring and logging for unusual file transfer activities and remote access attempts as stated in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-30T10:00:00Z","date_published":"2024-04-30T10:00:00Z","id":"/briefs/2024-04-30-unusual-remote-file-size/","summary":"A machine learning job has detected an unusually high file size shared by a remote host, indicating potential lateral movement as attackers bundle data into a single large file transfer to evade detection when exfiltrating valuable information.","title":"Unusual Remote File Size Indicating Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-04-30-unusual-remote-file-size/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS CloudTrail"],"_cs_severities":["medium"],"_cs_tags":["aws","cloud","lateral-movement","credential-access"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe AWS GetSigninToken API, typically used for legitimate console access, can be abused by attackers to generate temporary, federated credentials. This technique, often facilitated by tools like \u003ccode\u003eaws_consoler\u003c/code\u003e, allows attackers to obfuscate the compromised access keys used to generate the tokens. By pivoting from the AWS CLI to console sessions with these temporary credentials, adversaries bypass MFA requirements and complicate forensic investigations. This activity is crucial for defenders to monitor, especially in environments not configured for AWS SSO, as it can indicate unauthorized access and lateral movement within the AWS infrastructure. The tool \u003ccode\u003eaws_consoler\u003c/code\u003e is specifically designed to automate this process, creating a streamlined path for malicious actors to leverage compromised credentials for further exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to AWS environment using compromised credentials (access key, secret key).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials with the AWS CLI or SDK to call the \u003ccode\u003eGetSigninToken\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eGetSigninToken\u003c/code\u003e event with the event source \u003ccode\u003esignin.amazonaws.com\u003c/code\u003e and event name \u003ccode\u003eGetSigninToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eGetSigninToken\u003c/code\u003e API returns a temporary sign-in token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the temporary token along with the AWS account ID to construct a sign-in URL.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the AWS Management Console via the crafted URL, bypassing MFA if the original compromised credentials required it.\u003c/li\u003e\n\u003cli\u003eOnce in the console, the attacker performs reconnaissance, identifies valuable resources, and escalates privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the AWS environment, accessing and potentially exfiltrating sensitive data, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful abuse of the \u003ccode\u003eGetSigninToken\u003c/code\u003e API can lead to unauthorized access to the AWS Management Console, enabling lateral movement and data exfiltration.  The obfuscation of the original compromised credentials makes incident response more difficult. While the exact number of victims is unknown, this technique has been observed in intrusions targeting telecom and BPO companies.  The impact includes potential data breaches, service disruptions, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003eGetSigninToken\u003c/code\u003e events in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eGetSigninToken\u003c/code\u003e events originating from outside of expected AWS SSO user agents or other known legitimate sources.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eGetSigninToken\u003c/code\u003e events where the requesting user identity does not match expected patterns.\u003c/li\u003e\n\u003cli\u003eImplement and enforce MFA for all AWS IAM users, even though this attack bypasses it for console access using the temporary tokens.\u003c/li\u003e\n\u003cli\u003eReview and restrict IAM policies to adhere to the principle of least privilege, minimizing the potential impact of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-aws-get-signin-token-abuse/","summary":"Adversaries may abuse the AWS GetSigninToken API to create temporary federated credentials for obfuscating compromised AWS access keys and pivoting to console sessions without MFA, potentially leading to lateral movement within the AWS environment.","title":"Potential Abuse of AWS Console GetSigninToken","url":"https://feed.craftedsignal.io/briefs/2024-04-aws-get-signin-token-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eNetwork Level Authentication (NLA) is a security feature in Windows that requires users to authenticate before establishing a full RDP session, adding an extra layer of protection against unauthorized access. Attackers might attempt to disable NLA to gain access to the Windows sign-in screen without proper authentication. This tactic can facilitate the deployment of persistence mechanisms, such as leveraging Accessibility Features like Sticky Keys, or enable unauthorized remote access. This brief addresses the registry modifications associated with disabling NLA and provides detection strategies to identify such attempts. The references indicate that this technique is used in conjunction with other attacks for lateral movement within a compromised network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system is gained (potentially via compromised credentials or vulnerability exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to modify system-level settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\u003c/code\u003e to disable NLA.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUserAuthentication\u003c/code\u003e value is set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish an RDP connection to the compromised system.\u003c/li\u003e\n\u003cli\u003eDue to the disabled NLA, the attacker bypasses the initial authentication screen.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages accessibility features (e.g., Sticky Keys) for persistence or further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of NLA allows attackers to bypass authentication and gain unauthorized access to systems via RDP. This can lead to data theft, malware installation, or further lateral movement within the network. While the exact number of victims and sectors targeted are unspecified, the potential impact includes significant data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation and registry event logging to detect the registry modifications (Elastic Defend, Elastic Endgame, Microsoft Defender XDR, SentinelOne, Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to modify the \u003ccode\u003eUserAuthentication\u003c/code\u003e registry key (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eReview and harden RDP configurations across the environment to prevent unauthorized access (Microsoft documentation).\u003c/li\u003e\n\u003cli\u003eMonitor endpoint security policies to detect unauthorized registry modifications (Endpoint Security Policies).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-disable-nla/","summary":"Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.","title":"Network-Level Authentication (NLA) Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-nla/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","rdp","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the potential for lateral movement within a network facilitated by an unusual spike in Remote Desktop Protocol (RDP) connections originating from a single source IP address. This activity is detected using an Elastic machine learning job designed to identify anomalies in network connection patterns. The rule \u0026ldquo;Spike in Number of Connections Made from a Source IP\u0026rdquo; leverages this ML job to flag instances where a single host initiates RDP connections to a significantly higher than normal number of distinct destination IPs, potentially indicating that an attacker is attempting to pivot and gain access to additional systems after compromising an initial foothold. This detection mechanism is available in Elastic Security 9.4.0 and later, with the Lateral Movement Detection integration assets installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a host within the network through methods such as phishing, exploiting a vulnerability, or credential theft.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Foothold:\u003c/strong\u003e The attacker establishes a foothold on the compromised system, potentially installing tools for reconnaissance and lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e The attacker performs internal reconnaissance to identify potential target systems accessible via RDP.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRDP Connection Attempts:\u003c/strong\u003e The attacker initiates RDP connections to a large number of internal IP addresses from the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The attacker attempts to harvest credentials from the targeted systems to gain further access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker successfully connects to additional systems using RDP, leveraging harvested or stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e On newly accessed systems, the attacker attempts to escalate privileges to gain administrative control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Completion:\u003c/strong\u003e With broader access and elevated privileges, the attacker achieves their objective, which may include data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, this lateral movement can result in widespread compromise across the targeted network. A single compromised host can serve as a launching point to access sensitive data, critical systems, and ultimately, inflict significant damage. The \u0026ldquo;Spike in Number of Connections Made from a Source IP\u0026rdquo; rule aims to detect these lateral movement attempts early, minimizing potential damage. The impact of a successful attack could range from data breaches and financial losses to operational disruption and reputational damage, affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable host IP collection if using Elastic Defend (versions 8.18 and above), by following the configuration steps outlined in the Elastic documentation to ensure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the \u003ca href=\"https://docs.elastic.co/en/integrations/lmd\"\u003eofficial Elastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the false positive analysis steps within the detection rule\u0026rsquo;s documentation. Whitelist known administrative IPs or legitimate RDP usage patterns to minimize noise.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface as recommended in the rule\u0026rsquo;s response and remediation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-spike-in-rdp-connections/","summary":"A machine learning job detected a high count of destination IPs establishing RDP connections with a single source IP, indicating potential lateral movement attempts after initial compromise.","title":"Spike in Number of RDP Connections from a Single Source IP","url":"https://feed.craftedsignal.io/briefs/2024-01-spike-in-rdp-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","rdp","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the detection of unusually long Remote Desktop Protocol (RDP) sessions, identified by a pre-built Elastic machine learning job named \u003ccode\u003elmd_high_mean_rdp_session_duration_ea\u003c/code\u003e. Attackers can abuse RDP for lateral movement and maintaining persistence within a network. Extended RDP sessions can also be used to evade detection mechanisms. This detection leverages machine learning to identify deviations from normal RDP session durations, potentially indicating malicious activity. The detection rule has been available since October 2023, and the corresponding ML job is part of the Lateral Movement Detection integration, requiring Elastic Stack version 9.4.0 or later. The rule depends on the \u003ccode\u003ehost.ip\u003c/code\u003e field to be populated, which may require enabling host IP collection in Elastic Defend versions 8.18 and above.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network, possibly through phishing or exploiting a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages valid credentials or exploits a vulnerability to establish an RDP connection to a target system.\u003c/li\u003e\n\u003cli\u003eThe RDP session is maintained for an extended period, significantly longer than typical RDP sessions within the environment.\u003c/li\u003e\n\u003cli\u003eDuring the prolonged RDP session, the attacker performs reconnaissance, gathering information about the network and target systems.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, using the established RDP session as a persistent access point.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or transfers files, potentially installing malware or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe unusually long RDP session duration helps the attacker to remain undetected and evade security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and undetected lateral movement via prolonged RDP sessions can lead to significant data breaches, system compromise, and financial loss. The impact includes potential theft of sensitive information, disruption of business operations, and reputational damage. If an adversary establishes a persistent foothold via RDP, they can maintain long-term access to the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure \u003ccode\u003ehost.ip\u003c/code\u003e field is populated by enabling host IP collection if using Elastic Defend versions 8.18 and above, as described in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall and configure the Lateral Movement Detection integration in Kibana as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eTune the machine learning job \u003ccode\u003elmd_high_mean_rdp_session_duration_ea\u003c/code\u003e by adjusting the \u003ccode\u003eanomaly_threshold\u003c/code\u003e based on your environment and RDP usage patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate triggered alerts from the \u0026ldquo;High Mean of RDP Session Duration\u0026rdquo; rule following the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003etriage and analysis guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Windows RDP process events collected by the \u003ca href=\"https://docs.elastic.co/en/integrations/endpoint\"\u003eElastic Defend\u003c/a\u003e integration for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T18:10:00Z","date_published":"2024-01-24T18:10:00Z","id":"/briefs/2024-01-high-mean-rdp-session/","summary":"A machine learning job detected an unusually high mean of RDP session duration, indicative of potential lateral movement or persistent access attempts by adversaries abusing RDP.","title":"Unusually High Mean of RDP Session Duration Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-high-mean-rdp-session/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement by flagging spikes in the number of processes initiated during a single RDP session. The rule, based on an Elastic machine learning job named \u003ccode\u003elmd_high_sum_rdp_number_of_processes_ea\u003c/code\u003e, aims to uncover suspicious remote activity indicative of an attacker attempting to execute commands or deploy tools on a compromised host. This detection matters because RDP is a common vector for attackers to gain access to internal networks and subsequently move laterally. The detection leverages Windows RDP process events and file events collected by the Elastic Defend integration. Identifying anomalous process creation within RDP sessions can help defenders identify and respond to potential security incidents faster.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages valid credentials or exploits an RDP vulnerability to establish a remote session (T1021.001).\u003c/li\u003e\n\u003cli\u003eOnce connected via RDP, the attacker begins to execute a series of commands to enumerate the system and network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to install malware or other malicious tools, triggering the creation of multiple processes.\u003c/li\u003e\n\u003cli\u003eThe machine learning job detects a significant increase in the number of processes started within the RDP session.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, alerting analysts to the anomalous activity.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly installed tools to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack can lead to significant damage, including data breaches, system compromise, and financial loss. While the severity is low, a spike in RDP processes can be an early indicator of compromise. Attackers often use RDP to propagate through a network after gaining initial access, making this detection critical for preventing widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable host IP collection by following the configuration steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003eElastic Defend documentation\u003c/a\u003e to ensure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the rule\u0026rsquo;s setup instructions to enable the machine learning job \u003ccode\u003elmd_high_sum_rdp_number_of_processes_ea\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the anomaly threshold to reduce false positives based on your organization\u0026rsquo;s typical RDP usage.\u003c/li\u003e\n\u003cli\u003eInvestigate RDP sessions flagged by this rule to identify the source of the process spike and potential malicious activity as described in the rule\u0026rsquo;s \u0026ldquo;Triage and Analysis\u0026rdquo; notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T14:35:00Z","date_published":"2024-01-23T14:35:00Z","id":"/briefs/2024-01-rdp-process-spike/","summary":"A machine learning job has detected an unusually high number of processes started within a single Remote Desktop Protocol (RDP) session, potentially indicating lateral movement activity.","title":"Spike in Number of Processes in an RDP Session","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-process-spike/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement within a network by flagging unusual remote file transfers to directories that are not commonly monitored. Attackers often leverage less scrutinized file paths to evade standard security measures and deploy malicious payloads. This detection relies on the \u0026ldquo;lmd_rare_file_path_remote_transfer_ea\u0026rdquo; machine learning job within Elastic Security, which analyzes file and Windows RDP process events to identify anomalous file transfers based on the destination directory. The detection is part of the Lateral Movement Detection integration and requires Elastic Defend and Fleet for full functionality. This is important for defenders because attackers will try to blend in with normal file transfer activity by using uncommon directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the network (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target host for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a remote service (e.g., RDP, SMB) to connect to the target host.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to transfer malicious files to the target host.\u003c/li\u003e\n\u003cli\u003eInstead of using common directories like \u0026ldquo;C:\\Windows\\Temp\u0026rdquo; or \u0026ldquo;C:\\ProgramData\u0026rdquo;, the attacker chooses a less monitored directory to evade detection.\u003c/li\u003e\n\u003cli\u003eThe remote service is leveraged to perform the file transfer to the atypical directory.\u003c/li\u003e\n\u003cli\u003eThe transferred file is then executed, potentially leading to command execution or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective (e.g., data exfiltration, ransomware deployment) on the target host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, compromise of critical systems, and potential disruption of business operations. Although this detection is rated as low severity, successful lateral movement can lead to significant damage. The number of affected hosts and the severity of the impact depends on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. Lateral movement allows attackers to gain a deeper foothold within the network and increase the scope of their malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated in Elastic Defend events by following the configuration steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003eElastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eTune the anomaly_threshold in the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to minimize false positives, as mentioned in the rule\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the source and destination IP addresses, the user account involved, and the specific directory used for the file transfer as outlined in the \u003ca href=\"#triage-and-analysis\"\u003etriage and analysis section\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-unusual-remote-file-directory/","summary":"An Elastic machine learning job detects anomalous remote file transfers to unusual directories, indicating potential lateral movement by attackers attempting to bypass standard security monitoring.","title":"Unusual Remote File Directory Lateral Movement Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-22-unusual-remote-file-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["ransomware","impact","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential ransomware activity through the rapid creation of ransom notes via SMB shares. The rule focuses on file creation events originating from the SYSTEM account (PID 4), targeting common ransom note file extensions like .txt, .html, .pdf, and image files. This activity suggests an attacker has achieved lateral movement and is deploying ransom notes across multiple systems. The rule aggregates events within a 60-second window to reduce false positives and focus on high-frequency creation patterns indicative of automated ransomware deployment. Successful detection can help defenders quickly identify and contain ransomware outbreaks before widespread encryption occurs. The original Elastic detection rule was published on 2024-05-03 and updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network using valid accounts or exploits. (T1021.002 - SMB/Windows Admin Shares)\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool to remotely create files over SMB. (T1021.002 - SMB/Windows Admin Shares)\u003c/li\u003e\n\u003cli\u003eThe SYSTEM account (PID 4) on a compromised host is used to create multiple files with the same name but different paths (C:*) over SMB.\u003c/li\u003e\n\u003cli\u003eThe created files have file extensions commonly associated with ransom notes: .txt, .htm, .html, .hta, .pdf, .jpg, .bmp, .png.\u003c/li\u003e\n\u003cli\u003eThe files are dropped into at least 3 unique paths within a short time frame (60 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts data and leaves the ransom notes to instruct victims on how to pay the ransom. (T1486 - Data Encrypted for Impact)\u003c/li\u003e\n\u003cli\u003eThe organization experiences data loss, financial damage, and reputational harm.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful ransomware attacks can lead to significant data loss, financial costs associated with ransom payments, recovery efforts, and reputational damage. Organizations may experience business disruption, regulatory fines, and legal liabilities. The Akira ransomware group, referenced in the original rule\u0026rsquo;s documentation, has been known to target various sectors, demanding substantial ransoms from victims. The widespread distribution of ransom notes indicates an advanced stage of the ransomware attack, necessitating immediate containment to prevent further data encryption and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Ransomware Note File Dropped via SMB\u003c/code\u003e to your SIEM to detect suspicious file creation activity indicative of ransomware deployment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend for enhanced endpoint detection and response capabilities, as recommended in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eMonitor incoming network connections to port 445 (SMB) on critical assets, as suggested in the rule\u0026rsquo;s triage analysis.\u003c/li\u003e\n\u003cli\u003eInvestigate file names with unusual extensions to identify potential ransom notes, as mentioned in the triage analysis.\u003c/li\u003e\n\u003cli\u003eIsolate any hosts identified as creating multiple note files over SMB to prevent further lateral movement and data encryption, as described in the rule\u0026rsquo;s response and remediation steps.\u003c/li\u003e\n\u003cli\u003eReview and enforce network segmentation policies to limit lateral movement and reduce the impact of potential ransomware attacks (TA0008).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-potential-ransomware-smb/","summary":"This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.","title":"Potential Ransomware Behavior - Note Files Dropped via SMB","url":"https://feed.craftedsignal.io/briefs/2024-01-22-potential-ransomware-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["netexec","crackmapexec","lateral-movement","post-exploitation","hacktool"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNetExec (formerly CrackMapExec) is a widely used post-exploitation tool favored by penetration testers and malicious actors for Active Directory enumeration, credential harvesting, and remote code execution. When executed on a Windows system, NetExec extracts its embedded data files into a temporary directory named \u0026ldquo;_MEI\u0026rdquo; followed by a random string, located under the user\u0026rsquo;s Temp folder. A specific subdirectory, \u0026ldquo;\\nxc\\data\u0026quot;, within this extraction path contains files unique to NetExec. These file creation events offer a reliable indicator for detecting NetExec execution on a host. This activity is important for defenders as it signals potential reconnaissance, lateral movement attempts, or the establishment of a foothold within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the NetExec executable (nxc.exe) to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes nxc.exe.\u003c/li\u003e\n\u003cli\u003eNetExec extracts its embedded data files into a temporary directory. The path follows the pattern: \u003ccode\u003e\\Temp\\_MEI\u0026lt;random\u0026gt;\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the temporary directory, a specific subdirectory \u003ccode\u003e\\nxc\\data\\\u003c/code\u003e is created, containing NetExec\u0026rsquo;s data files.\u003c/li\u003e\n\u003cli\u003eNetExec utilizes these files for Active Directory enumeration, credential harvesting, and reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages gathered information to move laterally within the network, potentially targeting other systems or services.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to execute code remotely using harvested credentials, furthering their access and control within the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful NetExec deployment can lead to extensive reconnaissance of Active Directory environments, enabling attackers to map out network infrastructure, identify valuable targets, and harvest credentials. This can result in unauthorized access to sensitive data, lateral movement to critical systems, and ultimately, a complete compromise of the domain. Organizations in all sectors are vulnerable, with the impact ranging from data breaches and financial loss to reputational damage and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect NetExec File Creation\u003c/code\u003e to your SIEM to detect NetExec\u0026rsquo;s unique file creation patterns (logsource: file_event, product: windows).\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in the \u003ccode\u003e\\Temp\u003c/code\u003e directory for filenames containing \u003ccode\u003e_MEI\u003c/code\u003e and \u003ccode\u003e\\nxc\\data\\\u003c/code\u003e, as these indicate NetExec\u0026rsquo;s extraction process.\u003c/li\u003e\n\u003cli\u003eEnable process-creation logging with command-line arguments to identify the execution of \u003ccode\u003enxc.exe\u003c/code\u003e (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the extent of the compromise and contain any further lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-18T12:00:00Z","date_published":"2024-01-18T12:00:00Z","id":"/briefs/2024-01-netexec-file-indicators/","summary":"This brief covers the detection of NetExec, a post-exploitation and lateral movement tool, through monitoring for unique file creation patterns associated with its execution and file extraction in Windows environments.","title":"NetExec File Creation Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-netexec-file-indicators/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows NT Domain"],"_cs_severities":["low"],"_cs_tags":["discovery","domain trust","lateral movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility is a command-line tool used to manage and troubleshoot Windows NT domains. While legitimate domain administrators may use this utility for information gathering, adversaries can also abuse it to enumerate domain trusts and gain insight into trust relationships, which exposes the state of Domain Controller (DC) replication within a Windows NT Domain. This activity is more suspicious in environments with Windows Server 2012 and newer, where its usage is less common for legitimate purposes. Attackers can leverage this information to facilitate lateral movement and other malicious activities within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enltest.exe\u003c/code\u003e with specific arguments such as \u003ccode\u003e/DOMAIN_TRUSTS\u003c/code\u003e, \u003ccode\u003e/DCLIST:*\u003c/code\u003e, \u003ccode\u003e/DCNAME:*\u003c/code\u003e, \u003ccode\u003e/DSGET*\u003c/code\u003e, \u003ccode\u003e/LSAQUERYFTI:*\u003c/code\u003e, \u003ccode\u003e/PARENTDOMAIN\u003c/code\u003e, or \u003ccode\u003e/BDC_QUERY:*\u003c/code\u003e to enumerate domain trusts.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility queries the Active Directory to gather information about domain trusts, domain controllers, and other domain-related information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003enltest.exe\u003c/code\u003e to identify trust relationships, domain controllers, and other relevant information about the domain infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to map out potential lateral movement paths within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages discovered trust relationships to authenticate to other domains or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems or domains, leveraging the discovered trust relationships and compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence and continues to perform malicious activities, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts via \u003ccode\u003enltest.exe\u003c/code\u003e can provide attackers with valuable information to facilitate lateral movement and escalate privileges within a Windows NT Domain. This can lead to the compromise of sensitive data, disruption of critical services, and ultimately, a complete takeover of the affected environment. While the specific number of victims and sectors targeted are unknown, the impact can be significant for organizations relying on Active Directory for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003enltest.exe\u003c/code\u003e with command-line arguments indicative of domain trust discovery, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003enltest.exe\u003c/code\u003e execution, especially when initiated by non-administrative users or from unusual locations, as identified by the Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process execution data for the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enltest.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-11T17:49:00Z","date_published":"2024-01-11T17:49:00Z","id":"/briefs/2024-01-nltest-domain-trust-discovery/","summary":"Adversaries may use the `nltest.exe` command-line utility to enumerate domain trusts and gain insight into trust relationships to facilitate lateral movement within a Microsoft Windows NT Domain.","title":"NLTEST.EXE Used for Domain Trust Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["discovery","powershell","share-enumeration","lateral-movement","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts utilizing ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or native Windows API calls for share enumeration. These techniques are commonly used by attackers to map accessible network shares within an environment. This reconnaissance is often a precursor to data collection, lateral movement, or the deployment of ransomware. The activity is detected via script block logging, and focuses on identifying specific function calls and API usage within the PowerShell script content. Defenders should be aware of this activity, particularly when performed by unexpected users or on unusual systems, as it may indicate malicious reconnaissance within the network. The references indicate that this activity can lead to corporate insurance policy exfiltration or Conti ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a fileless execution method.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes ShareFinder functions (Invoke-ShareFinder, Invoke-ShareFinderThreaded) or Windows share enumeration APIs (NetShareEnum, NetApiBufferFree) to discover network shares.\u003c/li\u003e\n\u003cli\u003eThe script identifies accessible network shares by leveraging API calls and parsing the results for share names (shi1_netname) and remarks (shi1_remark).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the identified shares to determine those that are accessible and contain valuable data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to access these shares using compromised credentials or exploiting existing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eOnce access is gained, the attacker may collect sensitive data from the shares, move laterally to other systems, or deploy ransomware.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, system compromise, or financial gain through ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reconnaissance technique can lead to significant data breaches, lateral movement within the network, and potential ransomware deployment. Organizations that fail to detect and prevent share enumeration may suffer financial losses, reputational damage, and operational disruption. The referenced \u0026ldquo;Stolen Images\u0026rdquo; campaign led to Conti ransomware deployment, and the \u0026ldquo;Hunting for corporate insurance policies\u0026rdquo; post highlights data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the necessary events for detection (as referenced in the rule setup).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration Script via Invoke-ShareFinder\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration via NetShareEnum API\u0026rdquo; to detect share enumeration using native Windows APIs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the PowerShell launch context and the scope of the share discovery (see triage steps in the original rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict PowerShell execution policies to prevent unauthorized script execution, especially from user-writable locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-powershell-share-enumeration/","summary":"Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.","title":"PowerShell Share Enumeration via ShareFinder or Native APIs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-powershell-share-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","dcom","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the abuse of Distributed Component Object Model (DCOM) for lateral movement within a Windows environment. DCOM allows software components to communicate across a network, and attackers may leverage it to execute commands remotely. This rule specifically focuses on the use of ShellBrowserWindow or ShellWindows Application COM objects as the launching point for these remote commands. The technique enables stealthy lateral movement, as it leverages legitimate Windows functionality. This activity is detected by identifying incoming TCP connections on high ports associated with \u003ccode\u003eexplorer.exe\u003c/code\u003e spawning child processes, which are indicative of DCOM abuse. The rule is designed to detect this behavior and alert security teams to potential unauthorized lateral movement attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses DCOM to initiate a connection to a target host.\u003c/li\u003e\n\u003cli\u003eThe DCOM connection is established to the target host via high TCP ports (above 49151).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexplorer.exe\u003c/code\u003e process on the target host receives the DCOM connection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ShellBrowserWindow or ShellWindows COM objects to execute commands.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eexplorer.exe\u003c/code\u003e spawns a child process to execute the attacker-supplied command.\u003c/li\u003e\n\u003cli\u003eThe spawned process performs malicious actions, such as reconnaissance or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the target system, leading to potential data exfiltration, system compromise, and further lateral movement within the network. This can result in significant damage, including data breaches, financial losses, and reputational harm. The DCOM protocol is commonly used in many Windows environments, so this technique could be broadly applicable across many victim organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DCOM Lateral Movement with Explorer.exe\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process creations spawned by explorer.exe.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Event ID 1 (Process Creation) logging to ensure the required data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview network activity for incoming TCP connections to high ports (49151+) associated with \u003ccode\u003eexplorer.exe\u003c/code\u003e, as highlighted in the \u0026ldquo;Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows\u0026rdquo; detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual or unexpected child processes spawned by \u003ccode\u003eexplorer.exe\u003c/code\u003e, as detected by the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-dcom-lateral-movement/","summary":"This analytic identifies the use of Distributed Component Object Model (DCOM) to execute commands on a remote host, specifically when launched via ShellBrowserWindow or ShellWindows Application COM objects, indicating potential lateral movement by an attacker.","title":"DCOM Lateral Movement via ShellWindows/ShellBrowserWindow","url":"https://feed.craftedsignal.io/briefs/2024-01-dcom-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","PowerShell"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","powershell","remoting"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement through the exploitation of Windows PowerShell remoting. PowerShell remoting is a feature that enables administrators and attackers to execute commands on remote Windows systems. The detection focuses on identifying incoming network connections on ports 5985 (HTTP) and 5986 (HTTPS), the default ports used for PowerShell Remoting, followed by the execution of processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e, the Windows Remote Management process host. This activity, when originating from unexpected sources, may indicate unauthorized access and lateral movement within a network. The rule is designed to detect suspicious activity by monitoring network traffic and process execution, flagging potential unauthorized remote executions, and enabling security teams to respond swiftly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network, possibly through phishing or exploiting a vulnerability on an internet-facing system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell remoting to initiate a connection to a target system on ports 5985 or 5986.\u003c/li\u003e\n\u003cli\u003eThe target system accepts the incoming PowerShell Remoting connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e process is launched on the target system to facilitate the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands remotely, spawning child processes from \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally to other systems within the network using the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003ePsExec\u003c/code\u003e over the remote PowerShell session to further propagate.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware, by leveraging the established remote session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PowerShell Remoting for lateral movement can lead to widespread compromise within an organization. An attacker could gain control over multiple systems, potentially leading to data breaches, system outages, or ransomware deployment. The number of affected systems could range from a few critical servers to a significant portion of the network, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. The impact could include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eIncoming Execution via PowerShell Remoting\u003c/code\u003e to your SIEM to detect suspicious PowerShell remoting activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to ports 5985 and 5986, and investigate any unauthorized or unexpected traffic using the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eInvestigate processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e for unusual or malicious activity using the \u003ccode\u003eprocess_creation\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eWhitelist authorized administrative IP addresses or user accounts that frequently perform remote management tasks, as mentioned in the false positives analysis.\u003c/li\u003e\n\u003cli\u003eReview and document automated scripts or scheduled tasks that use PowerShell Remoting for system maintenance, then create exceptions for their specific process names or execution paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:53:23Z","date_published":"2024-01-03T18:53:23Z","id":"/briefs/2024-01-03-powershell-remoting/","summary":"This rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.","title":"Incoming Execution via PowerShell Remoting","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-remoting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from a machine learning job designed to detect anomalous RDP session start times. RDP is a common vector for lateral movement, and attackers may initiate sessions during off-peak hours to evade detection. The machine learning model flags sessions started outside of normal business hours or on unusual weekdays. While not inherently malicious, this activity warrants investigation as it can be an early indicator of a broader attack. The rule is part of the Lateral Movement Detection (LMD) integration from Elastic, requiring a minimum stack version of 9.4.0 and leverages Entity Analytics (EA) fields. Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events using Elastic\u0026rsquo;s Anomaly Detection feature.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through compromised credentials or a software vulnerability (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages RDP to attempt lateral movement to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe RDP session is initiated at an unusual time or day, deviating from typical user behavior.\u003c/li\u003e\n\u003cli\u003eThe machine learning job detects this anomaly based on the unusual RDP session start time.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered, flagging the potentially suspicious activity.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to access sensitive data or resources on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker could install malware or establish persistence mechanisms (not described in source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack can allow an attacker to gain access to sensitive data, compromise critical systems, and ultimately disrupt business operations. While the detection of an unusual RDP session is an early warning sign, it is critical to investigate these alerts promptly to prevent further escalation. If the suspicious RDP session is part of a broader attack, the impact could range from data theft to ransomware deployment. The lack of immediate action could lead to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable host IP collection within Elastic Defend if using versions 8.18 and above, following the configuration steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure the Lateral Movement Detection integration assets are installed, as well as file and Windows RDP process events collected by the Elastic Defend integration, as mentioned in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the \u0026ldquo;Unusual Time or Day for an RDP Session\u0026rdquo; rule, correlating the RDP session with other security events.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (currently 70) to reduce false positives while maintaining effective detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:50:00Z","date_published":"2024-01-03T18:50:00Z","id":"/briefs/2024-01-unusual-rdp-session/","summary":"A machine learning job detected an RDP session initiated at an unusual time or day, potentially indicating lateral movement activity within a network.","title":"Unusual Time or Day for an RDP Session Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-rdp-session/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","AWS STS"],"_cs_severities":["medium"],"_cs_tags":["aws","saml","cloudtrail","initial-access","lateral-movement","persistence","privilege-escalation","stealth"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious Security Assertion Markup Language (SAML) activity within Amazon Web Services (AWS). The activity includes monitoring for \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e and \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events. An adversary might exploit SAML to gain unauthorized access, escalate privileges, move laterally within the AWS environment, or establish persistent backdoor access. The focus is on detecting unusual or unauthorized modifications to SAML configurations and role assumptions, which could indicate a compromised identity provider or malicious actor leveraging SAML for illicit purposes. Defenders should prioritize monitoring SAML-related API calls to identify and mitigate potential threats early in the attack chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises or creates a malicious SAML identity provider.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the AWS environment to trust the malicious SAML provider using \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a SAML assertion to assume a specific role within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e API call to authenticate with AWS using the crafted SAML assertion.\u003c/li\u003e\n\u003cli\u003eAWS STS validates the SAML assertion and, if valid, provides temporary credentials for the assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the temporary credentials to perform actions within AWS, potentially escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the AWS environment, accessing resources and services authorized for the assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating backdoors or modifying existing IAM policies, leveraging the initially gained access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via SAML manipulation can lead to a complete compromise of the AWS environment. Attackers can gain unauthorized access to sensitive data, disrupt critical services, and deploy malicious infrastructure. The impact includes potential data breaches, financial losses, and reputational damage. The number of affected resources depends on the permissions associated with the roles assumed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e events to detect suspicious role assumptions (see \u0026ldquo;AssumeRoleWithSAML Detection Rule\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events to detect unauthorized SAML provider modifications (see \u0026ldquo;UpdateSAMLProvider Detection Rule\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e events originating from unfamiliar user agents or IP addresses by reviewing CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events for unexpected changes to SAML provider configurations. Review associated CloudTrail logs for user identity, user agent, and hostname to ensure authorized access.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules for your environment, addressing false positives by exempting known, legitimate behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:30Z","date_published":"2024-01-03T18:22:30Z","id":"/briefs/2024-01-03-aws-suspicious-saml/","summary":"This rule identifies suspicious SAML activity in AWS, such as AssumeRoleWithSAML and UpdateSAMLProvider events, which could indicate an attacker gaining backdoor access, escalating privileges, or establishing persistence.","title":"Suspicious AWS SAML Activity Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-suspicious-saml/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief focuses on a detection rule from Elastic\u0026rsquo;s Lateral Movement Detection (LMD) integration that utilizes machine learning to identify unusual remote file transfers. The rule, \u0026ldquo;Unusual Remote File Extension,\u0026rdquo; is designed to detect anomalies in file transfers, specifically those involving rare file extensions, which could be indicative of lateral movement within a network. This rule leverages the \u003ccode\u003elmd_rare_file_extension_remote_transfer_ea\u003c/code\u003e machine learning job ID. The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. The rule operates by analyzing \u003ccode\u003ehost.ip\u003c/code\u003e and detecting anomalies in file transfers, where host IP collection needs to be enabled on Elastic Defend versions 8.18 and above.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems using remote services like RDP or SMB.\u003c/li\u003e\n\u003cli\u003eAs part of the lateral movement, the attacker transfers tools or files to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a rare or uncommon file extension for the transferred files, potentially to evade detection based on known file types.\u003c/li\u003e\n\u003cli\u003eThe file transfer occurs over the network, triggering file event logs on the source and destination systems.\u003c/li\u003e\n\u003cli\u003eElastic Defend, with host IP collection enabled, monitors these file events and forwards the data to the Elastic Security platform.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Unusual Remote File Extension\u0026rdquo; machine learning job identifies the transfer of a file with a rare extension, comparing it against historical data.\u003c/li\u003e\n\u003cli\u003eIf the file extension is deemed anomalous based on its rarity, the rule triggers, indicating potential lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack can allow an adversary to gain access to sensitive data, critical systems, or privileged accounts. By using uncommon file extensions, attackers attempt to bypass security measures that rely on identifying known file types. This can lead to undetected malware deployment, data exfiltration, or further compromise of the network. Though this rule is of low severity, it can provide an early warning signal to stop an attack before greater damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the \u003ccode\u003ehost.ip\u003c/code\u003e field within Elastic Defend configurations (versions 8.18 and above) to ensure proper data collection for the machine learning job.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets within Kibana as per the provided setup instructions to activate the \u0026ldquo;Unusual Remote File Extension\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job to reduce false positives, considering your organization\u0026rsquo;s typical file transfer patterns.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Remote File Extension Transfer\u0026rdquo; Sigma rule to identify file transfers with rare extensions using process creation logs.\u003c/li\u003e\n\u003cli\u003eReview the triage and analysis steps in the rule\u0026rsquo;s documentation to effectively investigate and respond to triggered alerts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-unusual-remote-file-extension/","summary":"An Elastic machine learning rule detects unusual remote file transfers with rare extensions, potentially indicating lateral movement activity on a host and suggesting adversaries bypassing security measures.","title":"Unusual Remote File Extension Detected via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-03-unusual-remote-file-extension/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["credential-access","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential remote access to the Windows registry to dump credential data from the Security Account Manager (SAM) registry hive. This activity often precedes credential access and privilege elevation attempts. The rule focuses on detecting the creation of specific file types by \u003ccode\u003esvchost.exe\u003c/code\u003e, a legitimate Windows process, in temporary directories. However, when \u003ccode\u003esvchost.exe\u003c/code\u003e creates files with registry file (REGF) header bytes in temporary locations, and those files are also of a significant size, it indicates a potential secretsdump-style attack. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker uses remote registry tools or scripts, such as those based on Impacket\u0026rsquo;s \u003ccode\u003esecretsdump.py\u003c/code\u003e, to connect to the target system\u0026rsquo;s registry service.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a connection to the RemoteRegistry service.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esvchost.exe\u003c/code\u003e process on the target system is leveraged to access the SAM, SECURITY, and SYSTEM registry hives.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvchost.exe\u003c/code\u003e creates a temporary file (e.g., a \u003ccode\u003e.tmp\u003c/code\u003e file) in the \u003ccode\u003e\\Windows\\System32\\\u003c/code\u003e or \u003ccode\u003e\\WINDOWS\\Temp\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe temporary file contains the contents of the registry hive, identifiable by the \u0026ldquo;72656766\u0026rdquo; (REGF) header bytes and a file size greater than 30000 bytes.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the dumped registry hive files from the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the registry hives offline to extract sensitive credential information, such as password hashes. This leads to lateral movement and privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack allows adversaries to extract sensitive credentials, including password hashes, from the compromised system. This can lead to lateral movement within the network, privilege escalation, and ultimately, domain compromise. The extraction of credentials provides the attacker with persistent access and the ability to move undetected through the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Svchost.exe Registry Hive Dump\u003c/code\u003e to detect the creation of registry hive files by \u003ccode\u003esvchost.exe\u003c/code\u003e in temporary directories based on the \u003ccode\u003efile.Ext.header_bytes\u003c/code\u003e and \u003ccode\u003efile.path\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious RemoteRegistry File Creation\u003c/code\u003e to detect files with REGF header bytes created by svchost.exe, outside the standard system path to catch unusual service context.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation events, specifically focusing on \u003ccode\u003esvchost.exe\u003c/code\u003e and its command-line arguments, to identify suspicious service groups.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for files with the \u003ccode\u003e.tmp\u003c/code\u003e extension in the \u003ccode\u003e\\Windows\\System32\\\u003c/code\u003e and \u003ccode\u003e\\WINDOWS\\Temp\\\u003c/code\u003e directories, paying attention to file sizes and header bytes, as indicated by the file path and size conditions in the rule.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the rule documentation to properly triage and analyze potential incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-remote-sam-secretsdump/","summary":"Detects remote access to the registry, potentially dumping credential data from the Security Account Manager (SAM) registry hive, indicating preparation for credential access and privilege elevation.","title":"Potential Remote Credential Access via Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-sam-secretsdump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS CloudTrail","EKS IAM Roles for Service Accounts"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","kubernetes","lateral-movement","credential-access","discovery"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection rule identifies lateral movement in AWS environments stemming from Kubernetes service accounts utilizing \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e. It focuses on detecting instances where credentials obtained via this method are subsequently used to perform several distinct AWS control-plane actions within a single session. This behavior deviates from typical pod traffic and could signify unauthorized access or privilege escalation. The rule prioritizes the detection of sensitive API usage, including reconnaissance activities, access to secrets, IAM modifications, and compute creation events, while strategically excluding high-volume S3 data-plane operations to minimize false positives. The targeted environments are those leveraging EKS IAM Roles for Service Accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA Kubernetes service account projects a token.\u003c/li\u003e\n\u003cli\u003eThe service account uses \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e to exchange the token for short-lived IAM credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the assumed role to perform reconnaissance activities such as \u003ccode\u003eListUsers\u003c/code\u003e, \u003ccode\u003eListRoles\u003c/code\u003e, and \u003ccode\u003eDescribeInstances\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access secrets using actions like \u003ccode\u003eGetSecretValue\u003c/code\u003e and \u003ccode\u003eListSecrets\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by modifying IAM policies with actions like \u003ccode\u003eAttachRolePolicy\u003c/code\u003e and \u003ccode\u003ePutRolePolicy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create new users or roles within the AWS environment using actions like \u003ccode\u003eCreateUser\u003c/code\u003e and \u003ccode\u003eCreateRole\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement using actions like \u003ccode\u003eSendCommand\u003c/code\u003e and \u003ccode\u003eStartSession\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to evade detection by stopping logging with the \u003ccode\u003eStopLogging\u003c/code\u003e action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, privilege escalation, and the potential compromise of the entire AWS environment. Lateral movement within the AWS infrastructure allows attackers to gain access to critical systems and data, potentially leading to data breaches, service disruptions, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potentially malicious activity related to \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM role trust policies associated with Kubernetes service accounts, specifically focusing on OIDC trust conditions, as referenced in the \u003ca href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html\"\u003eIAM OIDC identity provider\u003c/a\u003e documentation.\u003c/li\u003e\n\u003cli\u003eImplement strict least privilege principles for Kubernetes service accounts, limiting their access to only the necessary AWS resources, as covered in \u003ca href=\"https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html\"\u003eEKS IAM roles for service accounts\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e events followed by suspicious API calls, focusing on the actions listed in the Sigma rule detection patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-aws-k8s-lateral-movement/","summary":"This rule detects lateral movement in AWS environments originating from Kubernetes service accounts by identifying instances where credentials obtained for a service account are used for multiple distinct AWS control-plane actions, potentially indicating unauthorized access.","title":"AWS Lateral Movement from Kubernetes Service Account via AssumeRoleWithWebIdentity","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-k8s-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["pentest","post-exploitation","lateral-movement","active-directory"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNetExec, previously known as CrackMapExec, is a post-exploitation tool commonly used during Active Directory penetration testing. It is also favored by red teams and malicious actors for reconnaissance, lateral movement, and credential harvesting within Windows networks. This tool allows for the enumeration of hosts, exploitation of network services, and remote command execution. The use of NetExec in an enterprise environment is considered suspicious due to its capabilities for identifying vulnerable systems and facilitating unauthorized access. Defenders should monitor for its execution, as it is often a precursor to more serious attacks, including ransomware deployment, such as the Lynx ransomware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eNetExec (nxc.exe) is deployed on the compromised host, often copied to a temporary directory.\u003c/li\u003e\n\u003cli\u003eNetExec is executed with commands to enumerate network shares and identify potential targets using SMB.\u003c/li\u003e\n\u003cli\u003eThe tool uses LDAP to query Active Directory for user accounts, groups, and organizational units.\u003c/li\u003e\n\u003cli\u003eNetExec attempts to authenticate to other systems using gathered or compromised credentials via protocols such as SMB, SSH, or RDP.\u003c/li\u003e\n\u003cli\u003eSuccessful authentication allows for remote command execution via WMI or WinRM.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages identified vulnerabilities or misconfigurations to escalate privileges on the target systems.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally through the network, gaining access to sensitive data or deploying ransomware like Lynx.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of NetExec can lead to widespread compromise within an Active Directory environment. Attackers can identify and exploit vulnerable systems, harvest credentials, and move laterally to gain access to critical assets. This can result in data theft, system disruption, and ransomware deployment, potentially affecting hundreds or thousands of systems depending on the size of the organization. The tool is often used as a precursor to ransomware attacks, where entire networks can be encrypted, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eHackTool - NetExec Execution\u003c/code\u003e to your SIEM to detect the execution of NetExec based on process creation logs.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enxc.exe\u003c/code\u003e with command-line arguments associated with network protocols like \u003ccode\u003eftp\u003c/code\u003e, \u003ccode\u003eldap\u003c/code\u003e, \u003ccode\u003emssql\u003c/code\u003e, \u003ccode\u003enfs\u003c/code\u003e, \u003ccode\u003erdp\u003c/code\u003e, \u003ccode\u003esmb\u003c/code\u003e, \u003ccode\u003essh\u003c/code\u003e, \u003ccode\u003evnc\u003c/code\u003e, \u003ccode\u003ewinrm\u003c/code\u003e, and \u003ccode\u003ewmi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly audit Active Directory to minimize the potential for lateral movement.\u003c/li\u003e\n\u003cli\u003eConsider using application control solutions to prevent the execution of unauthorized tools like \u003ccode\u003enxc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:35:00Z","date_published":"2024-01-03T14:35:00Z","id":"/briefs/2024-01-netexec-execution/","summary":"The threat brief details the detection of NetExec (formerly CrackMapExec), a post-exploitation tool used for Active Directory penetration testing and network enumeration, often employed by threat actors for lateral movement and credential harvesting.","title":"Detection of NetExec Hacktool Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-netexec-execution/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2019-0708"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["command-and-control","lateral-movement","initial-access","rdp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRemote Desktop Protocol (RDP) is a common tool for system administrators to remotely manage systems, however, exposing RDP directly to the internet creates a significant attack surface. Threat actors frequently target and exploit RDP for initial access, lateral movement, and establishing backdoors within compromised networks. This activity is detected by monitoring network traffic for RDP connections originating from outside the internal network (RFC1918 IP ranges). This is important because successful RDP compromise often leads to broader network infiltration and data exfiltration. This detection focuses on the network level characteristics of RDP connections from the internet to internal assets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible RDP service.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to brute-force RDP login credentials or exploits a known RDP vulnerability (e.g. BlueKeep CVE-2019-0708).\u003c/li\u003e\n\u003cli\u003eUpon successful authentication or exploitation, the attacker gains remote access to the targeted system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point to perform reconnaissance on the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network using stolen credentials or by exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or establishes persistence mechanisms (e.g., creating new user accounts or modifying system configurations).\u003c/li\u003e\n\u003cli\u003eThe attacker gathers sensitive data from internal systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data to an external server or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised RDP services can lead to significant data breaches, system downtime, and financial losses. Attackers can leverage RDP access to steal sensitive information, install ransomware, or disrupt critical business operations. While the number of affected organizations varies, RDP exploitation remains a prevalent attack vector, especially for organizations with inadequate security practices. The impact of a successful RDP attack ranges from several thousands to millions of dollars, depending on the size of the organization and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;RDP (Remote Desktop Protocol) from the Internet\u0026rdquo; Sigma rule to your SIEM to detect unauthorized RDP connections from outside the network.\u003c/li\u003e\n\u003cli\u003eReview firewall rules and network configurations to ensure RDP services are not exposed directly to the internet. Implement a VPN or RDP gateway for secure remote access.\u003c/li\u003e\n\u003cli\u003eEnable and monitor network traffic logs (category: \u003ccode\u003enetwork_traffic\u003c/code\u003e, product: \u003ccode\u003ewindows|linux|macos\u003c/code\u003e) to provide data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address and user accounts involved in the RDP connection.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential RDP compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-rdp-internet/","summary":"This rule detects network events indicative of RDP traffic originating from the internet, which poses a significant security risk due to its frequent exploitation as an initial access or backdoor vector.","title":"RDP (Remote Desktop Protocol) from the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-internet/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["kubelet","Elastic Defend","auditd_manager"],"_cs_severities":["medium"],"_cs_tags":["kubernetes","lateral-movement","kubelet","linux","container"],"_cs_type":"advisory","_cs_vendors":["Elastic","Kubernetes"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious network connections to the Kubernetes Kubelet API, specifically targeting ports 10250 and 10255, from Linux hosts within internal network ranges. Attackers frequently exploit weak authentication or network controls to access the Kubelet API, potentially enabling them to enumerate pods, retrieve logs, and execute commands on nodes. This activity often originates from common scripting utilities like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, or interpreters like \u003ccode\u003epython\u003c/code\u003e and \u003ccode\u003enode\u003c/code\u003e, particularly when executed from world-writable directories such as \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e, or \u003ccode\u003e/dev/shm\u003c/code\u003e. This technique is often a component of container and cluster lateral movement, where the attacker seeks to expand their access within the Kubernetes environment. The rule is designed to detect these unauthorized attempts and alert security teams to investigate potential breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised container or host within the Kubernetes cluster, potentially through exploiting a vulnerability in a running application.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance command, such as \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e, from within the compromised container, targeting the Kubelet API on port 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e command is executed from a temporary directory like \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/dev/shm\u003c/code\u003e to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate running pods and services by querying the \u003ccode\u003e/pods\u003c/code\u003e or \u003ccode\u003e/runningpods\u003c/code\u003e endpoints of the Kubelet API.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker identifies a target pod within the cluster based on the enumerated information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Kubelet API to execute commands within the target pod, potentially escalating privileges or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other nodes or containers within the Kubernetes cluster, repeating the reconnaissance and exploitation steps.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to gain control over the entire Kubernetes cluster, enabling data exfiltration, resource hijacking, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the Kubelet API can lead to a complete compromise of the Kubernetes cluster. Attackers can gain unauthorized access to sensitive data, escalate privileges, and disrupt critical services. While the number of victims may vary depending on the organization\u0026rsquo;s security posture, a successful attack could impact all applications and data managed by the cluster. Organizations in any sector utilizing Kubernetes are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable syscall auditing and ensure that \u003ccode\u003eevent.category:network\u003c/code\u003e events are generated for network connections, as outlined in the rule\u0026rsquo;s setup guide.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eRestrict pod-to-node access to port 10250 using network policies or security groups to limit the attack surface, as noted in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eImplement Kubernetes API audit logging to detect unauthorized access attempts and credential access, correlating with process argument telemetry as mentioned in the triage steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-kubelet-api-connection/","summary":"The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.","title":"Kubelet API Connection Attempt to Internal IP","url":"https://feed.craftedsignal.io/briefs/2024-01-kubelet-api-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","cloud","service principal","persistence","lateral movement"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation of service principals in Azure can be a legitimate administrative task, but it can also be an indicator of malicious activity. Attackers may create service principals to establish persistence, move laterally within the Azure environment, or gain unauthorized access to resources. This activity is particularly concerning when performed by unfamiliar users or from unusual locations. Monitoring for unexpected service principal creation is crucial for detecting potential security breaches in Azure environments. This alert focuses on detecting the \u0026ldquo;Add service principal\u0026rdquo; message within Azure Activity Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account, possibly through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses Azure CLI with the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to create a new service principal using tools like Azure CLI or PowerShell.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the \u0026ldquo;Add service principal\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns roles and permissions to the newly created service principal, granting it access to specific resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the service principal for lateral movement, accessing resources or services within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe service principal is used for persistence, allowing the attacker to maintain access even if the initial access method is revoked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful creation and misuse of a service principal can lead to unauthorized access to sensitive data, resources, and services within the Azure environment. The impact can range from data breaches and service disruption to complete control over the Azure subscription, potentially affecting hundreds or thousands of resources and users. The attacker can leverage the compromised service principal to perform actions with the permissions assigned to it, leading to significant damage and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Service Principal Created\u0026rdquo; to your SIEM and tune for your environment to detect suspicious service principal creations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Azure Service Principal Created\u0026rdquo; rule (logsource: azure) by verifying the user identity, user agent, and hostname associated with the event.\u003c/li\u003e\n\u003cli\u003eReview and audit existing service principals and their assigned permissions to identify any anomalies or overly permissive configurations.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise and unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-azure-sp-creation/","summary":"Detects the creation of a service principal in Azure, which could indicate potential attacker activity for lateral movement or persistence.","title":"Detection of Azure Service Principal Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-sp-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["network-traffic","initial-access","lateral-movement","rpc"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe Remote Procedure Call (RPC) protocol, while essential for legitimate system administration tasks such as remote maintenance and resource sharing within internal networks, poses a significant security risk when exposed to the internet. Threat actors frequently target and exploit RPC services as an initial access vector or to establish backdoors within compromised systems. This exposure allows attackers to remotely execute commands, move laterally within the network, and potentially exfiltrate sensitive data. This brief provides detection strategies to identify such anomalous RPC traffic, enabling security teams to proactively mitigate potential threats. The detection focuses on identifying TCP traffic to port 135 from internal IP ranges to external IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the internal network, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates an RPC connection to an external IP address on TCP port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RPC connection to enumerate network resources and identify potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eUsing the RPC connection, the attacker attempts to authenticate to other systems within the network.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker remotely executes commands on the target system via RPC.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or a backdoor on the target system for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established foothold to further propagate within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of RPC services exposed to the internet can lead to a complete compromise of the internal network. Attackers can gain initial access, move laterally, exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations. A single exposed RPC service can serve as a gateway for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect RPC traffic from internal IP ranges to external destinations on TCP port 135, focusing on network traffic logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing systems exhibiting suspicious RPC activity (Sigma rule, logsource: network_connection).\u003c/li\u003e\n\u003cli\u003eEnsure that RPC services are not directly exposed to the internet. Implement firewall rules to restrict access to authorized internal IP ranges only.\u003c/li\u003e\n\u003cli\u003eContinuously monitor network traffic for anomalous RPC activity and correlate with other security events (logsource: network_connection).\u003c/li\u003e\n\u003cli\u003eReview and update firewall configurations to block unauthorized outbound connections on port 135 (logsource: firewall).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:27:00Z","date_published":"2024-01-03T14:27:00Z","id":"/briefs/2024-01-rpc-internet-access/","summary":"This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.","title":"Detecting RPC Traffic to the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-rpc-internet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","file-share","windows"],"_cs_type":"advisory","_cs_vendors":["Veeam Software Group GmbH","Elasticsearch, Inc.","PDQ.com Corporation","CrowdStrike, Inc.","Microsoft","ZOHO Corporation Private Limited","BeyondTrust Corporation","CyberArk Software Ltd","Sophos Ltd","AO Kaspersky Lab","Anthropic, PBC","Adobe Inc.","Netwrix Corporation"],"content_html":"\u003cp\u003eThis detection identifies lateral movement via network file shares by detecting the execution of a file that was recently created by the virtual system process (PID 4), commonly associated with file share operations. Adversaries may leverage network shares to distribute malicious payloads or tools across the network to compromise additional hosts. This technique allows attackers to execute code remotely, expanding their foothold within the environment. The rule focuses on Windows systems and monitors for newly created executable files (e.g., .exe, .scr, .pif, .com) that are then executed. Exceptions are made for known legitimate software vendors and specific file paths to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable (e.g., malware, custom tool) to a network file share. The file creation event is attributed to PID 4.\u003c/li\u003e\n\u003cli\u003eA user or automated process on a remote system accesses the file share.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is copied or accessed from the network share onto the remote system.\u003c/li\u003e\n\u003cli\u003eThe user, either intentionally or through deception, executes the malicious executable.\u003c/li\u003e\n\u003cli\u003eThe executed file initiates malicious activities on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this foothold for further lateral movement, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation through remote execution via file shares can lead to widespread compromise across the network. Attackers can gain unauthorized access to sensitive data, install backdoors, or deploy ransomware. The impact ranges from data breaches and financial losses to significant disruption of business operations. The severity of the impact depends on the attacker\u0026rsquo;s objectives and the extent of their lateral movement within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious executions of files created by PID 4 on Windows systems.\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file uploads.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events (event.type in (\u0026ldquo;creation\u0026rdquo;, \u0026ldquo;change\u0026rdquo;)) on network shares for unusual activity using file integrity monitoring tools.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution chain and associated network connections.\u003c/li\u003e\n\u003cli\u003eEnrich process creation events (category: process_creation) with code signature information to validate the legitimacy of executed files.\u003c/li\u003e\n\u003cli\u003eUse osquery to retrieve the files\u0026rsquo; SHA-256 hash values using the PowerShell \u003ccode\u003eGet-FileHash\u003c/code\u003e cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-execution-via-file-shares/","summary":"This rule identifies the execution of a file that was created by the virtual system process, potentially indicating lateral movement via network file shares in Windows environments.","title":"Remote Execution via File Shares","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-execution-via-file-shares/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","file-shares","windows"],"_cs_type":"advisory","_cs_vendors":["Veeam Software Group GmbH","Elasticsearch, Inc.","PDQ.com Corporation","CrowdStrike, Inc.","Microsoft","ZOHO Corporation Private Limited","BeyondTrust Corporation","CyberArk Software Ltd","Sophos Ltd","AO Kaspersky Lab","Anthropic, PBC","Adobe Inc.","Netwrix Corporation"],"content_html":"\u003cp\u003eThis detection rule identifies a specific sequence of events that may indicate lateral movement within a Windows environment. The rule focuses on scenarios where a file is created or modified by the \u003ccode\u003eSystem\u003c/code\u003e process (PID 4), which is then subsequently executed. This behavior is often associated with attackers leveraging network file shares to distribute malicious tools or payloads across multiple systems. The rule aims to detect this activity while excluding legitimate software installations or updates by filtering out processes signed by trusted vendors such as Veeam, Elasticsearch, CrowdStrike, and Microsoft. This exclusion is designed to reduce false positives and focus on potentially malicious activity. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable (e.g., EXE, SCR, PIF, COM) to a network file share accessible to other systems. The file\u0026rsquo;s header starts with \u003ccode\u003e4d5a\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSystem\u003c/code\u003e process (PID 4) creates or modifies the malicious executable on the target system via the network share. This can happen through normal network file operations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses lateral movement techniques, such as exploiting SMB/Windows Admin Shares, to remotely trigger the execution of the malicious executable on the target system.\u003c/li\u003e\n\u003cli\u003eThe malicious executable begins to execute, initiating attacker-controlled code on the target system.\u003c/li\u003e\n\u003cli\u003eThe process attempts to establish command and control (C2) communication with an external server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to further propagate within the network, potentially deploying additional malicious tools or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread compromise of systems within the network. Attackers can leverage compromised systems for data theft, deployment of ransomware, or other malicious activities. The impact can range from business disruption and data loss to significant financial damage and reputational harm. Even with trusted vendor exclusions, a determined adversary could still bypass protections, potentially leading to the compromise of critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect remote execution via file shares, and tune exclusions for your specific environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to generate the necessary process and file events for the Sigma rule to function effectively (see \u003ccode\u003elogs-endpoint.events.process-*\u003c/code\u003e, \u003ccode\u003elogs-endpoint.events.file-*\u003c/code\u003e in \u003ccode\u003eindex\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file uploads (see \u0026ldquo;Review the privileges needed to write to the network share\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine the legitimacy of the activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on network shares to detect unauthorized file modifications or additions.\u003c/li\u003e\n\u003cli\u003eUse threat intelligence platforms to enrich file hash values and identify known malicious files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-execution-file-shares/","summary":"The rule identifies the execution of a file created by the virtual system process, potentially indicating lateral movement via network file shares, by detecting a sequence of file creation/modification followed by process execution, excluding trusted vendors.","title":"Remote Execution via File Shares","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-execution-file-shares/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Corretto JDK","UEM Proxy Server","UEM Core","dbeaver.exe","Docker","Chrome","Internet Explorer","PyCharm Community Edition","Firefox","VirtualBox","Puppet","nexpose","Silverfort AD Adapter","Nessus","VMware View","Advanced Port Scanner","DesktopCentral Agent","LanGuard","SAP BusinessObjects","SuperScan","ZSATunnel"],"_cs_severities":["medium"],"_cs_tags":["kerberoasting","credential-access","lateral-movement","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","SentinelOne","Amazon","BlackBerry","DBeaver","Docker","Google","Microsoft","JetBrains","Mozilla","Oracle","Puppet Labs","Rapid7","Silverfort","Tenable","VMware","GFI","SAP","Zscaler"],"content_html":"\u003cp\u003eThis detection identifies unusual processes initiating network connections to the standard Kerberos port (88) on Windows systems. Typically, the \u003ccode\u003elsass.exe\u003c/code\u003e process handles Kerberos traffic on domain-joined hosts. The rule aims to detect processes other than \u003ccode\u003elsass.exe\u003c/code\u003e communicating with the Kerberos port, which could indicate malicious activity such as Kerberoasting (T1558.003) or Pass-the-Ticket (T1550.003). The detection is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. This can help security teams identify potential credential access attempts and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a user account or system within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious binary or script (e.g., PowerShell) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to request Kerberos service tickets (TGS) for various services within the domain. This is done by connecting to the Kerberos port (88) on a domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003eRubeus\u003c/code\u003e or \u003ccode\u003eKerberoast.ps1\u003c/code\u003e to enumerate and request TGS tickets.\u003c/li\u003e\n\u003cli\u003eThe unusual process (not \u003ccode\u003elsass.exe\u003c/code\u003e) sends Kerberos traffic to the domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the Kerberos tickets from memory or network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the offline TGS tickets to obtain service account passwords (Kerberoasting).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised service account credentials to move laterally within the network or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberoasting or Pass-the-Ticket attack can lead to unauthorized access to sensitive resources and lateral movement within the network. Attackers can compromise service accounts with elevated privileges, potentially leading to domain-wide compromise. Detection of this behavior can prevent attackers from gaining access to critical assets. While the exact number of victims and sectors targeted are unknown, this technique is widely used by various threat actors in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Kerberos Traffic from Unusual Process\u0026rdquo; Sigma rule to your SIEM and tune for your environment. Enable network connection logging to capture the necessary traffic.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious binaries.\u003c/li\u003e\n\u003cli\u003eReview event ID 4769 for suspicious ticket requests as mentioned in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eExamine host services for suspicious entries as outlined in the original Elastic detection rule using Osquery.\u003c/li\u003e\n\u003cli\u003eMonitor for processes connecting to port 88, filtering out legitimate Kerberos clients like \u003ccode\u003elsass.exe\u003c/code\u003e, using the \u0026ldquo;Detect Kerberos Traffic from Non-Standard Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate processes identified by the rule and compare them to the list of legitimate processes to identify unauthorized connections to the Kerberos port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-03-kerberoasting-unusual-process/","summary":"Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.","title":"Kerberos Traffic from Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-kerberoasting-unusual-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Veeam Backup","PDQ Deploy","Pella Order Management","eset-remote-install-service"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Veeam","Admin Arsenal","Pella Corporation","ESET"],"content_html":"\u003cp\u003eThis detection rule identifies a potential lateral movement technique where an attacker establishes a network logon to a Windows system and subsequently installs a service using the same LogonId. This behavior is flagged as suspicious because it deviates from typical administrative practices and can indicate unauthorized access and persistence within the network. The rule is designed to filter out common legitimate services and administrative activities, focusing on anomalies that could signify malicious intent. This detection is crucial for defenders as it can uncover attackers attempting to move laterally and establish persistent access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker performs network reconnaissance to identify target systems for lateral movement.\u003c/li\u003e\n\u003cli\u003eUsing valid credentials or pass-the-hash techniques, the attacker authenticates to a remote Windows host over the network (e.g., SMB).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to install a new service on the remote host, potentially using tools like \u003ccode\u003esc.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe service installation event is logged with a specific LogonId that matches the earlier network logon event, indicating a relationship between the two activities.\u003c/li\u003e\n\u003cli\u003eThe newly installed service is configured to execute a malicious payload or establish a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the service to execute commands or deploy further malicious tools on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and lateral movement within the network, enabling further compromise and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to widespread compromise of systems within a network. Attackers can use the newly installed service to execute arbitrary code, install malware, or move laterally to other systems. This can result in data theft, system disruption, or ransomware deployment. The impact can be significant, potentially affecting numerous systems and causing substantial financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logs with necessary auditing policies, specifically Audit Logon and Audit Security System Extension, to capture relevant logon and service installation events.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious remote service installations based on matching LogonIds from network logons.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on unusual service file paths and user accounts.\u003c/li\u003e\n\u003cli\u003eReview the list of excluded service file paths in the Sigma rules and customize them based on your environment\u0026rsquo;s known legitimate services.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for suspicious SMB activity, particularly connections originating from unusual or untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to reduce the risk of credential theft and unauthorized network access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-service-install/","summary":"This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.","title":"Detecting Remote Windows Service Installation for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["HPWBEM","SCCM","Windows Management Instrumentation",".NET Framework"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wmi","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","HP","Nessus"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of lateral movement within a Windows environment via Windows Management Instrumentation (WMI). WMI, a core Windows feature, is often exploited by adversaries to remotely execute processes, bypassing traditional security measures. This activity is detected by monitoring network connections and process executions, while filtering out common false positives associated with legitimate administrative use, security tools, and system processes. The goal is to highlight potential threats indicative of unauthorized lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to initiate a connection to a remote host on port 135.\u003c/li\u003e\n\u003cli\u003eThe svchost.exe process on the target host accepts an incoming RPC connection from the attacker-controlled system.\u003c/li\u003e\n\u003cli\u003eWmiPrvSE.exe, the WMI provider host process, spawns a new process based on the attacker\u0026rsquo;s WMI command.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes the attacker\u0026rsquo;s payload or command on the remote host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed process for further actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and lateral movement via WMI can lead to unauthorized access to sensitive data, compromise of critical systems, and propagation of malware throughout the network. While specific victim counts or sector targeting data are unavailable, the broad applicability of WMI across Windows environments makes this a relevant threat for a wide range of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide necessary data for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious WMI activity and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eReview and create exceptions for known administrative accounts or specific IP addresses used by IT staff to reduce false positives, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eIsolate any affected host from the network to prevent further lateral movement if suspicious WMI activity is detected.\u003c/li\u003e\n\u003cli\u003eMonitor network connections with destination port 135 for unusual activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-wmi-lateral-movement/","summary":"Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.","title":"WMI Incoming Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-03-wmi-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe legacy Windows AT command allows scheduling tasks for execution. While deprecated since Windows 8 and Windows Server 2012, it remains present for backwards compatibility. Attackers may enable the AT command through registry modifications to achieve persistence or lateral movement within a network. This technique bypasses modern security controls and can be difficult to detect without specific monitoring. The detection rule monitors registry changes enabling this command, flagging potential misuse by checking specific registry paths and values indicative of enabling the AT command. The use of this command allows an attacker to execute commands with elevated privileges, potentially compromising the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enable the AT command by modifying the registry.\u003c/li\u003e\n\u003cli\u003eThe registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e is modified to a value of \u0026ldquo;1\u0026rdquo; or \u0026ldquo;0x00000001\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AT command to schedule a malicious task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a command or script, such as downloading and executing malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eEnabling the AT command can lead to unauthorized task scheduling, malware execution, persistence, and lateral movement within a network. Successful exploitation can compromise sensitive data, disrupt operations, and grant attackers persistent access to critical systems. The use of a deprecated command makes it harder to detect, increasing the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry events for modifications to \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e as described in the rule overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and registry event logging to activate the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-at-command-enabled/","summary":"Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.","title":"Windows Scheduled Tasks AT Command Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-at-command-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager","Docker","containerd","kubelet"],"_cs_severities":["medium"],"_cs_tags":["container","privilege-escalation","lateral-movement","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","Docker","Kubernetes"],"content_html":"\u003cp\u003eThis threat involves unauthorized processes connecting directly to container runtime sockets (Docker or Containerd) on Linux systems. This bypasses Kubernetes API server restrictions, potentially allowing attackers to create, execute, or manipulate containers without proper authorization or logging. The risk lies in attackers circumventing RBAC, admission webhooks, and pod security standards. The attack can start when a compromised process attempts to connect to the Docker or Containerd socket, potentially leading to privilege escalation and lateral movement within the containerized environment. This attack is significant because it undermines core security controls within container orchestration platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or compromised process gains initial access to the host system.\u003c/li\u003e\n\u003cli\u003eThe process attempts to connect to the container runtime socket (e.g., \u003ccode\u003e/var/run/docker.sock\u003c/code\u003e or \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe process bypasses the Kubernetes API server and associated security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the direct socket connection to create a new container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive data or resources within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the compromised container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised container to move laterally to other containers or hosts within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Kubernetes security measures, create unauthorized containers, and potentially gain control over the entire cluster. The observed impact includes privilege escalation, lateral movement, and data exfiltration. The severity of this attack depends on the level of access granted to the compromised container and the sensitivity of the data and resources within the cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Auditd Manager to capture network and socket events, specifically monitoring for \u003ccode\u003econnect\u003c/code\u003e calls to Unix sockets as described in the \u003ca href=\"https://docs.elastic.co/integrations/auditd_manager\"\u003eAuditd Manager documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unusual Process Connecting to Docker or Containerd Socket\u0026rdquo; to detect suspicious processes connecting to container runtime sockets, tuning \u003ccode\u003eprocess.executable\u003c/code\u003e and \u003ccode\u003euser.name\u003c/code\u003e for known legitimate processes.\u003c/li\u003e\n\u003cli\u003eMonitor file permissions on the socket paths (\u003ccode\u003e/var/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/var/run/containerd/containerd.sock\u003c/code\u003e, \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e) and restrict access to trusted groups only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-container-socket-connection/","summary":"An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.","title":"Unusual Process Connecting to Docker or Containerd Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-container-socket-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["lateral-movement","windows","sc.exe"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies the suspicious use of \u003ccode\u003esc.exe\u003c/code\u003e (Service Control Manager) to create, modify, or start services on remote Windows hosts. While system administrators may legitimately use this tool, its use for lateral movement is a known technique used by attackers. This activity is often part of a larger attack campaign, where adversaries attempt to gain access to sensitive data or critical systems. The rule aims to detect unauthorized attempts to manipulate services on remote systems, differentiating between legitimate administrative tasks and malicious activities. The rule is designed for data generated by Elastic Defend, but also supports Sysmon data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003ecreate\u003c/code\u003e command to create a new service on a remote host, specifying a malicious executable as the \u003ccode\u003ebinPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003econfig\u003c/code\u003e command to modify an existing service on a remote host, changing its \u003ccode\u003ebinPath\u003c/code\u003e to point to a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003efailure\u003c/code\u003e command to configure service failure options to execute a malicious command.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003estart\u003c/code\u003e command to start a service on a remote host, triggering the execution of the malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable executes on the remote host, providing the attacker with a foothold for further actions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly established foothold to move laterally to other systems within the network, potentially escalating privileges and accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through the created or modified service, allowing continued access even after system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to move laterally within a network, gain unauthorized access to sensitive data, and establish persistence on compromised systems. While the source material doesn\u0026rsquo;t provide specific victim counts or sectors targeted, the impact of successful lateral movement can be significant, potentially leading to data breaches, system disruption, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Service Command Lateral Movement\u0026rdquo; to your SIEM and tune for your environment based on observed false positives from administrative activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to enhance visibility into \u003ccode\u003esc.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative scripts or tools that use \u003ccode\u003esc.exe\u003c/code\u003e by their process names or paths to reduce false positives, as described in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the ability of adversaries to move laterally across the network, mitigating the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cmd-service-lateral-movement/","summary":"The rule identifies the use of sc.exe to create, modify, or start services on remote hosts, potentially indicating lateral movement by adversaries.","title":"Suspicious Use of sc.exe for Remote Service Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-cmd-service-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","smb","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule, originally published by Elastic, identifies potentially suspicious processes making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate SMB connections are generally established by the kernel (PID 4). This rule focuses on detecting processes that are not trusted (not signed by Microsoft) or living-off-the-land binaries (LOLBins) initiating SMB connections. It helps to detect port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows host through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a binary that is not signed by Microsoft and not a known LOLBin.\u003c/li\u003e\n\u003cli\u003eThis process attempts to establish a network connection to a remote host on port 445 (SMB).\u003c/li\u003e\n\u003cli\u003eThe attacker may use this connection to enumerate shares.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to the remote SMB share.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker may copy malicious payloads to the remote share.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the copied payloads on the remote system, achieving lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to lateral movement within the network, allowing the attacker to compromise additional systems and gain further access to sensitive data. The scope of the impact depends on the permissions of the compromised account and the level of access granted to the attacker on the target systems. This could result in data exfiltration, system disruption, or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Outbound SMB Connection by Untrusted Process\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain and network connections.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement possibilities.\u003c/li\u003e\n\u003cli\u003eEnsure that systems are patched against known SMB vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes that are not signed by Microsoft.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging to monitor SMB traffic for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-smb-connections/","summary":"This rule identifies potentially suspicious processes, excluding those signed by Microsoft, making Server Message Block (SMB) network connections over port 445, which could indicate lateral movement attempts.","title":"Suspicious SMB Connections via LOLBin or Untrusted Process","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-smb-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS CloudTrail"],"_cs_severities":["medium"],"_cs_tags":["aws","cloud","lateral-movement","privilege-escalation","sts","GetSessionToken"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe AWS Security Token Service (STS) GetSessionToken API allows IAM users to create temporary security credentials. Attackers can abuse this functionality by generating tokens with elevated privileges or for lateral movement within an AWS environment if an IAM user\u0026rsquo;s credentials have been compromised. This activity can be difficult to detect as GetSessionToken is a legitimate function, but unusual patterns or IAM users generating tokens where it is not expected should be investigated. This activity is of particular concern because it bypasses normal IAM role assumption logging and creates a separate credential for an attacker to abuse, making access more difficult to track. The impact is significant, allowing attackers to perform actions as the compromised IAM user or escalate privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment, potentially through compromised IAM user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to AWS using the compromised IAM user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the STS GetSessionToken API, specifying desired permissions or roles (if permitted by the IAM user\u0026rsquo;s policies).\u003c/li\u003e\n\u003cli\u003eAWS STS generates a new set of temporary credentials (access key ID, secret access key, and session token).\u003c/li\u003e\n\u003cli\u003eThe attacker configures their AWS CLI or SDK to use the newly acquired temporary credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages these temporary credentials to perform actions within the AWS environment, potentially escalating privileges or moving laterally.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting the CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, deploys malware, or causes disruption within the AWS environment using the acquired privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised AWS environments can lead to data breaches, service disruptions, and financial losses. Successful exploitation via GetSessionToken misuse allows attackers to move laterally, escalate privileges, and perform unauthorized actions within the AWS infrastructure. The number of affected organizations is currently unknown, but any organization relying on AWS is potentially at risk. If successful, attackers can steal sensitive data, compromise critical systems, and disrupt business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS STS GetSessionToken Misuse\u0026rdquo; to your SIEM to detect suspicious GetSessionToken API calls (see rules section).\u003c/li\u003e\n\u003cli\u003eInvestigate GetSessionToken calls where \u003ccode\u003euserIdentity.type\u003c/code\u003e is \u003ccode\u003eIAMUser\u003c/code\u003e to determine if the request is legitimate.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual patterns of GetSessionToken usage, particularly from unfamiliar user agents or hosts.\u003c/li\u003e\n\u003cli\u003eImplement strong IAM policies and MFA to minimize the risk of compromised IAM user credentials.\u003c/li\u003e\n\u003cli\u003eReview the false positives section of the Sigma rule to tune the rule for your specific environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-sts-getsessiontoken-misuse/","summary":"The AWS STS GetSessionToken API is being misused to create temporary tokens for lateral movement and privilege escalation within AWS environments by potentially compromised IAM users.","title":"Suspicious AWS STS GetSessionToken Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-sts-getsessiontoken-misuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the creation of scheduled tasks on Windows systems originating from a remote source using Remote Procedure Call (RPC). The creation of scheduled tasks is a common technique used for persistence and execution. While administrators may legitimately use this functionality for remote management, adversaries also leverage it for lateral movement and executing malicious code on compromised systems. The rule specifically looks for RPC calls where the client locality and process ID are 0, suggesting the task was created remotely. Identifying this activity allows defenders to investigate potentially malicious lateral movement and unauthorized task execution. This activity has been observed across various Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target system within the network accessible via RPC.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RPC connection to the target system.\u003c/li\u003e\n\u003cli\u003eUsing the RPC connection, the attacker creates a new scheduled task on the target system. The RpcCallClientLocality and ClientProcessId are set to 0 in the task creation event, indicating remote origin.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload or command. This could involve running a script, executable, or PowerShell command.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is triggered based on a defined schedule or event.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes on the target system, achieving the attacker\u0026rsquo;s objective.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to further pivot within the network, repeating the process on other targets.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the establishment of persistence on the target system, allowing the attacker to maintain access even after reboots or credential changes. This can also facilitate lateral movement, enabling the attacker to compromise additional systems within the network. The impact could range from data theft and system disruption to full network compromise. Organizations may experience downtime, data loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the Windows Security Event Logs required for detection (reference: Setup section in content).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect remote scheduled task creation events (reference: rules section).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the scheduled task creation.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions for creating scheduled tasks, especially from remote sources, to prevent unauthorized task creation.\u003c/li\u003e\n\u003cli\u003eMonitor the TaskContent value to investigate the configured action of scheduled tasks created remotely (reference: Triage and analysis section in content).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-remote-task-creation/","summary":"The creation of scheduled tasks from a remote source via RPC, where the RpcCallClientLocality and ClientProcessId are 0, indicates potential adversary lateral movement within a Windows environment.","title":"Remote Scheduled Task Creation via RPC","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","data-staging","windows","hidden-share"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies attempts to copy files to hidden network shares in Windows environments, which can be indicative of lateral movement or data staging by malicious actors. Attackers may leverage hidden shares, typically used for legitimate administrative purposes, to move laterally within a network or to stage data for exfiltration without being easily detected. The rule focuses on detecting the use of command-line tools such as cmd.exe and powershell.exe with arguments that specify the copying of files to network paths that match a hidden share pattern (e.g., \u003ccode\u003e\\\\\\\\*\\\\\\\\*$\u003c/code\u003e). This activity helps identify suspicious file transfer operations that deviate from normal administrative or user behavior. The rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses cmd.exe or powershell.exe to execute a file copy command.\u003c/li\u003e\n\u003cli\u003eThe command line includes arguments to copy files to a hidden network share (e.g., \u003ccode\u003e\\\\\\\\\u0026lt;server\u0026gt;\\\\\u0026lt;hidden_share\u0026gt;$\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecopy\u003c/code\u003e, \u003ccode\u003emove\u003c/code\u003e, \u003ccode\u003ecp\u003c/code\u003e, or \u003ccode\u003emv\u003c/code\u003e commands are used to transfer the file.\u003c/li\u003e\n\u003cli\u003eThe target hidden share is accessed using the compromised account\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe file is successfully copied to the hidden share.\u003c/li\u003e\n\u003cli\u003eThe attacker may then access the copied file from another compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to exfiltrate the staged data or uses the copied files for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, lateral movement to other systems within the network, and potential data exfiltration. While the number of victims and specific sectors targeted are not specified, a successful compromise can significantly impact an organization\u0026rsquo;s data security and overall network integrity. The impact includes potential data loss, reputational damage, and disruption of normal business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Remote File Copy to Hidden Share\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect suspicious file copy activities.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the command-line arguments used in file copy operations, activating the rule above.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access, as described in the investigation guide.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process details (cmd.exe, powershell.exe) and the network share path, as outlined in the investigation guide.\u003c/li\u003e\n\u003cli\u003eCorrelate events with other logs or alerts from the same host or user to identify any additional suspicious activities, enhancing the detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-remote-file-copy-hidden-share/","summary":"This rule detects remote file copy attempts to hidden network shares, which may indicate lateral movement or data staging activity, by identifying suspicious file copy operations using command-line tools like cmd.exe and powershell.exe focused on hidden share patterns.","title":"Remote File Copy to a Hidden Share","url":"https://feed.craftedsignal.io/briefs/2024-01-03-remote-file-copy-hidden-share/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","defense-evasion","rdp","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may enable Remote Desktop Protocol (RDP) to facilitate lateral movement within a compromised network. By modifying the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key to a value of \u003ccode\u003e0\u003c/code\u003e, attackers can enable remote desktop connections, allowing them to access systems remotely. This technique can be employed using remote registry manipulation or tools like PsExec. The modification of the registry key is a common tactic used by ransomware operators and other threat actors to gain unauthorized access to victim servers. This activity can be performed to enable remote access for initial access or to regain access after persistence mechanisms have failed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like PsExec or leverages remote registry modification capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key, setting its value to \u003ccode\u003e0\u003c/code\u003e. This key is typically located in \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s RDP service is enabled or re-enabled as a result of the registry change.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to connect to the now-enabled RDP service using valid or brute-forced credentials.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains interactive access to the system via RDP.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, elevates privileges, and moves laterally to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware, exfiltrates data, or achieves other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key allows unauthorized remote access to systems, potentially leading to lateral movement, data theft, or ransomware deployment. Organizations could suffer significant financial losses, reputational damage, and operational disruption. The scope of the impact depends on the attacker\u0026rsquo;s objectives and the level of access they gain within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;RDP Enabled via Registry\u0026rdquo; to detect modifications to the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key (rules).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious use of \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys related to RDP (rules).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and firewall rules to restrict RDP traffic to authorized hosts (overview).\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to users and ensure the principle of least privilege is enforced (overview).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications (setup).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to registry modifications on critical systems (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rdp-registry-enabled/","summary":"An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.","title":"RDP Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-registry-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["psexec","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the execution of PsExec, a dual-use tool commonly employed for both legitimate administration and malicious lateral movement. PsExec, part of the Sysinternals Suite, allows for remote command execution with elevated privileges, often abused by attackers to disable security controls and move laterally within a network. This rule specifically detects the creation of \u003ccode\u003ePsExec.exe\u003c/code\u003e followed by a network connection initiated by the process, which is a strong indicator of potential malicious activity. While PsExec has legitimate uses, its prevalence in attack scenarios necessitates careful monitoring. The rule is designed to work with data from Elastic Defend, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or transfers the PsExec tool (\u003ccode\u003ePsExec.exe\u003c/code\u003e) to the compromised host, potentially using SMB shares or other file transfer methods.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PsExec with the \u003ccode\u003e-accepteula\u003c/code\u003e flag, which suppresses the license dialog, potentially indicating a first-time execution on the machine.\u003c/li\u003e\n\u003cli\u003ePsExec establishes a network connection to a remote target system, leveraging SMB/Windows Admin Shares (T1021.002) to facilitate remote command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PsExec to execute commands on the remote system, potentially with SYSTEM privileges, to install malware, gather credentials, or perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly compromised system as a pivot point to move laterally to other systems within the network, repeating the process.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges on multiple systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread compromise across the network. Attackers can leverage PsExec to gain control over critical systems, disable security controls, and exfiltrate sensitive data. Lateral movement facilitated by PsExec can enable attackers to rapidly expand their footprint within an organization, impacting numerous systems and services. While the rule\u0026rsquo;s severity is low due to the dual-use nature of PsExec, the potential impact of unchecked lateral movement is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePsExec Network Connection\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eprocess.executable\u003c/code\u003e and \u003ccode\u003eprocess.parent.executable\u003c/code\u003e filters for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging for enhanced visibility into PsExec activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to limit the accounts that can run PsExec and access sensitive systems.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003ePsExec Network Connection\u003c/code\u003e rule promptly to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from systems where PsExec is executed using the \u003ccode\u003ePsExec Outbound Network Connection\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-psexec-lateral-movement/","summary":"The rule identifies the use of PsExec.exe making a network connection, indicative of potential lateral movement by adversaries executing commands with SYSTEM privileges on Windows systems to disable defenses.","title":"PsExec Lateral Movement via Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-psexec-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","CISCO Talos"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","smb","file-transfer","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","Cisco"],"content_html":"\u003cp\u003eThis detection rule identifies the potential transfer of malicious tools within a Windows environment using SMB shares. Attackers commonly leverage SMB shares to propagate malware, tools, or scripts to compromised systems for lateral movement. The rule focuses on detecting the creation or modification of executable files (e.g., .exe, .dll, .ps1) on network shares, which is a strong indicator of malicious activity. The rule leverages Elastic Defend data to detect this activity and can be used to identify systems that may be compromised. This technique is used to deploy additional payloads, credential dumpers, or other malicious tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies accessible SMB shares within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to connect to a target SMB share (port 445) on another system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies an executable file (e.g., malware, a credential dumping tool, or a PowerShell script) to the SMB share.\u003c/li\u003e\n\u003cli\u003eThe target system detects a new file creation or change event on the SMB share.\u003c/li\u003e\n\u003cli\u003eA user or process on the target system executes the transferred file.\u003c/li\u003e\n\u003cli\u003eThe executed file performs malicious actions on the target system, such as credential theft or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly compromised system to further expand their access within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to propagate malware or malicious tools throughout the network, leading to widespread compromise. Lateral movement enables attackers to access sensitive data, escalate privileges, and ultimately achieve their objectives, which may include data exfiltration, ransomware deployment, or system disruption. The rule aims to detect this activity early in the attack chain and mitigate potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious executable file creation/modification events on SMB shares.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend on all Windows endpoints to provide the necessary data for the detection rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process execution chain, file reputation, and user activity.\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file transfers.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 445 (SMB) for suspicious activity, especially connections originating from unusual source IPs (Sigma rule, log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lateral-tool-transfer-smb/","summary":"The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.","title":"Potential Lateral Tool Transfer via SMB Share","url":"https://feed.craftedsignal.io/briefs/2024-01-lateral-tool-transfer-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defend for Containers"],"_cs_severities":["high"],"_cs_tags":["container","kubelet","kubernetes","lateral-movement","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule detects potential direct Kubelet access via process arguments within Linux containers. Attackers may target the Kubelet API to gain unauthorized access to the Kubernetes API server or other sensitive resources within the cluster. Observed requests are often used for reconnaissance, such as enumerating pods and cluster resources, or for executing commands directly on the API server. This activity indicates a potential attempt to move laterally within the Kubernetes environment. The activity is detected by monitoring process arguments for HTTP requests directed at the Kubelet API on ports 10250 or 10255. The detection leverages Elastic Defend for Containers, introduced in version 9.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container within the Kubernetes cluster, potentially through exploiting a vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker opens an interactive shell within the compromised container.\u003c/li\u003e\n\u003cli\u003eUsing command-line tools such as \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e, the attacker crafts an HTTP request targeting the Kubelet API, typically on port 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe HTTP request is embedded within the process arguments, including specific Kubelet endpoints such as \u003ccode\u003e/pods\u003c/code\u003e, \u003ccode\u003e/exec\u003c/code\u003e, \u003ccode\u003e/run\u003c/code\u003e, or \u003ccode\u003e/logs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate pods and other cluster resources by querying the \u003ccode\u003e/pods\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute commands within containers by leveraging the \u003ccode\u003e/exec\u003c/code\u003e or \u003ccode\u003e/run\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to retrieve container logs using the \u003ccode\u003e/logs\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to move laterally within the Kubernetes cluster, potentially gaining access to sensitive data or control over other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of direct Kubelet access can lead to significant compromise within a Kubernetes cluster. Attackers can enumerate sensitive information, execute arbitrary commands within containers, and move laterally to other parts of the cluster. This can result in data exfiltration, denial of service, or complete cluster takeover. Due to the high level of access granted by Kubelet, a successful attack allows the attacker to take complete control over the target node.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune them for your environment. Enable Elastic Defend for Containers with a minimum version of 9.3.0 to generate the necessary logs for these detections.\u003c/li\u003e\n\u003cli\u003eReview network policies to restrict pod access to Kubelet ports (10250, 10255) except from approved node-local agents (references: \u003ca href=\"https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster)\"\u003ehttps://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eHarden Kubelet authentication and authorization by disabling anonymous access and requiring webhook authorization (references: \u003ca href=\"https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/)\"\u003ehttps://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnforce pod security policies to restrict privileged pods and host networking, reducing the attack surface for node API access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kubelet-access/","summary":"Detection of potential direct Kubelet access via process arguments in Linux containers, which could lead to enumeration, execution, or lateral movement within the Kubernetes cluster.","title":"Potential Direct Kubelet Access via Process Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-kubelet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Firewall Threat Defense","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Secure Access Firewall"],"_cs_severities":["high"],"_cs_tags":["network","smb","lateral-movement","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker\u0026rsquo;s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to \u0026ldquo;Hidden Cobra Malware\u0026rdquo;, \u0026ldquo;DHS Report TA18-074A\u0026rdquo;, and \u0026ldquo;NOBELIUM Group\u0026rdquo;, suggesting possible connections to these threat actors or campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn internal host is compromised through an initial access vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate network resources accessible from the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages SMB to connect to external servers, typically on ports 139 or 445.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate or negotiate with the external server.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to exploit vulnerabilities in the SMB protocol or server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures or relays credential hashes transmitted over the SMB connection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn\u0026rsquo;t specified, the detection\u0026rsquo;s relevance to known threat actors suggests potentially widespread impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOutbound SMB Traffic Detected\u003c/code\u003e to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference \u003ccode\u003edetect_outbound_smb_traffic_filter\u003c/code\u003e macro in the original search).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict internal hosts from directly accessing external SMB services.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eCategorize internal CIDR blocks as \u003ccode\u003einternal\u003c/code\u003e in your asset management system to reduce false positives (reference \u0026ldquo;known_false_positives\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eConsider blocking external communications of all SMB versions and related protocols at the network boundary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-outbound-smb/","summary":"This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.","title":"Outbound SMB Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","defense-evasion","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to the \u003ccode\u003eNullSessionPipe\u003c/code\u003e registry setting in Windows. This setting defines named pipes that can be accessed without authentication, facilitating anonymous connections. Adversaries may exploit this by modifying the registry to enable lateral movement, allowing unauthorized access to network resources. By adding specific pipes to the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key, an attacker can make services accessible without requiring authentication. This rule focuses on flagging modifications that introduce new accessible pipes, which could indicate malicious intent. The targeted configuration is located under \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u003c/code\u003e. The registry key \u003ccode\u003eNullSessionPipes\u003c/code\u003e is of particular interest when its values change.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry, specifically the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\NullSessionPipes\u003c/code\u003e key. They add a new pipe name to this key, which will allow unauthenticated access to that named pipe.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry, potentially using commands like \u003ccode\u003ereg add\u003c/code\u003e or \u003ccode\u003eSet-ItemProperty\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA remote system attempts to connect to the newly accessible named pipe on the compromised system without authenticating.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the now-accessible service or application associated with the named pipe to execute commands or transfer data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this access to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry setting can lead to unauthorized access to sensitive resources and lateral movement within the network. By enabling anonymous access to named pipes, attackers can potentially bypass authentication mechanisms and gain control over critical systems. While the direct number of victims is not specified, the impact can be significant, particularly in organizations where shared resources and services rely on secure authentication protocols.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing to capture changes to the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key. This will allow you to detect unauthorized modifications as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;NullSessionPipe Registry Modification\u0026rdquo; to your SIEM and tune for your environment to identify malicious activity related to named pipe modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific named pipes being added or modified in the registry event details, as detailed in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the legitimacy of existing entries in the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key to identify and remove any unauthorized pipes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-nullsessionpipe-modification/","summary":"Attackers modify the NullSessionPipe registry setting in Windows to enable anonymous access to named pipes, potentially facilitating lateral movement and unauthorized access to network resources.","title":"NullSessionPipe Registry Modification for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-nullsessionpipe-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","windows","winrm","remote-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eWindows Remote Management (WinRM) is a protocol that allows for remote management and execution of commands on Windows machines. While beneficial for legitimate administrative tasks, adversaries can exploit WinRM for lateral movement by executing commands remotely. This detection rule identifies suspicious activity by monitoring network traffic on specific ports and processes initiated by WinRM (winrshost.exe), flagging potential unauthorized remote executions. The rule is designed for data generated by Elastic Defend, but also supports SentinelOne Cloud Funnel and Sysmon event logs. This detection can help identify attackers moving laterally within a Windows environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a machine within the network (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses this compromised machine to scan the network for potential targets with WinRM enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to a target machine using stolen credentials or by exploiting a vulnerability in WinRM.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker establishes a WinRM session to the target machine over ports 5985 (HTTP) or 5986 (HTTPS).\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands on the target machine using the WinRM remote shell, often leveraging \u003ccode\u003ewinrshost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed commands may include reconnaissance activities (e.g., \u003ccode\u003ewhoami\u003c/code\u003e, \u003ccode\u003enet user\u003c/code\u003e), privilege escalation attempts, or malware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised target to pivot to other systems, repeating the process and expanding their foothold.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically data exfiltration, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via WinRM can lead to unauthorized access to sensitive data, system compromise, and lateral movement within the network. Attackers can leverage WinRM to execute arbitrary commands, deploy malware, and ultimately achieve their objectives, such as data theft or ransomware deployment. The impact can range from individual system compromise to widespread network breaches, depending on the attacker\u0026rsquo;s goals and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to provide the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Incoming WinRM Remote Shell Execution via Network Connection\u003c/code\u003e to identify suspicious network connections on ports 5985 and 5986.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WinRM Processes\u003c/code\u003e to detect suspicious processes spawned by \u003ccode\u003ewinrshost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and whitelist known administrative IP addresses or users to reduce false positives as noted in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the ability of threats to move laterally across the network as described in the remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-winrm-lateral-movement/","summary":"This rule detects incoming execution via Windows Remote Management (WinRM) remote shell on a target host, which could be an indication of lateral movement by monitoring network traffic on ports 5985 or 5986 and processes initiated by WinRM.","title":"Incoming Execution via WinRM Remote Shell","url":"https://feed.craftedsignal.io/briefs/2024-01-winrm-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["group-policy","scheduled-task","privilege-escalation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers can abuse Group Policy Objects (GPOs) to execute scheduled tasks at scale, compromising objects controlled by a given GPO. This involves modifying the contents of the \u003ccode\u003e\u0026lt;GPOPath\u0026gt;\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\u003c/code\u003e file. By altering the XML file to include malicious commands, attackers can achieve privilege escalation or lateral movement within the domain. This technique leverages a legitimate Active Directory mechanism, making it essential to differentiate between authorized administrative actions and malicious activities. The modification can be identified through changes to \u003ccode\u003egPCMachineExtensionNames\u003c/code\u003e or \u003ccode\u003egPCUserExtensionNames\u003c/code\u003e attributes within Active Directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system with permissions to modify GPOs.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e file within the SYSVOL share of a targeted GPO (\u003ccode\u003e\\\\\\\\*\\\\SYSVOL\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker changes the contents of the XML file to include a malicious \u003ccode\u003e\u0026lt;Command\u0026gt;\u003c/code\u003e and \u003ccode\u003e\u0026lt;Arguments\u0026gt;\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eThe modified GPO is replicated to domain controllers.\u003c/li\u003e\n\u003cli\u003eTarget systems receive the updated GPO during regular group policy refresh cycles.\u003c/li\u003e\n\u003cli\u003eThe scheduled task defined in the modified \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e is executed on the target systems.\u003c/li\u003e\n\u003cli\u003eThe malicious command executes, potentially escalating privileges or facilitating lateral movement.\u003c/li\u003e\n\u003cli\u003eAttacker achieves desired objective, such as installing malware, creating new accounts, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on systems managed by the modified GPO. The scope of impact depends on the targeted GPO and the permissions of the scheduled task. This can lead to widespread compromise, affecting numerous systems and users within the domain. The modification of GPOs can be difficult to detect without proper monitoring, potentially allowing attackers to maintain persistence and control over the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows audit policies for \u0026ldquo;Audit Directory Service Changes\u0026rdquo; and \u0026ldquo;Audit Detailed File Share\u0026rdquo; to detect modifications to GPOs and file share access, as outlined in the \u003ca href=\"#setup\"\u003esetup\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Task Execution via GPO Attribute Modification\u0026rdquo; to detect modifications to the \u003ccode\u003egPCMachineExtensionNames\u003c/code\u003e or \u003ccode\u003egPCUserExtensionNames\u003c/code\u003e attributes (rule: \u003ccode\u003eScheduled Task Execution via GPO Attribute Modification\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Task XML File Modification in SYSVOL\u0026rdquo; to detect modifications to the ScheduledTasks.xml file in SYSVOL shares (rule: \u003ccode\u003eScheduled Task XML File Modification in SYSVOL\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and validate any changes to GPOs, specifically those related to scheduled tasks, to ensure they are authorized and legitimate.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of unexpected or malicious commands originating from scheduled tasks created or modified via GPOs.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review GPO configurations to identify any potential weaknesses or misconfigurations that could be exploited.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gpo-scheduled-task-abuse/","summary":"Attackers abuse Group Policy Objects by modifying scheduled task attributes to execute malicious commands across objects controlled by the GPO, potentially leading to privilege escalation and lateral movement.","title":"GPO Scheduled Task Abuse for Privilege Escalation and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-gpo-scheduled-task-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS STS"],"_cs_severities":["high"],"_cs_tags":["aws","privilege-escalation","lateral-movement","sts","getfederationtoken"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe AWS Security Token Service (STS) GetFederationToken API allows for the creation of temporary security credentials for federated users. These credentials inherit permissions from the calling IAM user and any session policy included in the request. This detection focuses on instances where the request parameters of GetFederationToken reference AdministratorAccess, either directly or through an equivalent string. The inclusion of AdministratorAccess within the session policy grants overly broad privileges to the temporary credentials, potentially leading to privilege escalation or abuse. This scenario is often indicative of legacy systems, misconfigured tooling, or malicious intent, posing a significant risk to the security posture of AWS environments. Defenders should prioritize identifying and mitigating instances of this behavior to enforce least privilege principles and prevent unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised IAM user credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an IAM user with the necessary permissions to call the STS GetFederationToken API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GetFederationToken API request, including a session policy that directly references \u0026ldquo;AdministratorAccess\u0026rdquo; or includes a policy ARN that grants administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe GetFederationToken API call is successfully executed, generating temporary security credentials with broad administrator permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the temporary credentials to perform privileged actions within the AWS environment, such as modifying IAM policies, accessing sensitive data, or deploying malicious resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to laterally move within the AWS environment by leveraging the newly acquired administrator privileges to compromise other resources or accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker could establish persistence by creating new IAM users or roles with elevated permissions, ensuring continued access even after the temporary credentials expire.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, service disruption, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete compromise of the AWS environment. An attacker with temporary administrator credentials can modify security configurations, access sensitive data, and disrupt critical services. While no specific victim counts or sectors are mentioned, the broad permissions granted by AdministratorAccess make any AWS environment vulnerable to significant damage. The risk score of 73 highlights the potential for severe impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS STS GetFederationToken with AdministratorAccess in Request\u0026rdquo; to your SIEM to detect instances of this activity (rule title).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e to identify the specific policy being used (rule title).\u003c/li\u003e\n\u003cli\u003eRevoke or rotate the IAM user access keys involved in the GetFederationToken call and enforce least privilege on the user (rule description).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for subsequent events using \u003ccode\u003eresponse_elements.credentials.accessKeyId\u003c/code\u003e from the same response to identify actions taken with the temporary credentials (rule description).\u003c/li\u003e\n\u003cli\u003eReview and update IAM policies to ensure that session policies used with GetFederationToken adhere to the principle of least privilege (rule description).\u003c/li\u003e\n\u003cli\u003eImplement automated checks to prevent the creation or modification of IAM policies that grant AdministratorAccess except in explicitly approved scenarios (rule description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-sts-admin-access/","summary":"Detection of AWS STS GetFederationToken calls with AdministratorAccess in the request parameters, indicating potential privilege escalation or dangerous automation via broadly privileged temporary credentials.","title":"AWS STS GetFederationToken with AdministratorAccess in Request","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-sts-admin-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EC2","AWS CloudTrail"],"_cs_severities":["high"],"_cs_tags":["aws","privilege-escalation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief focuses on the potential for privilege escalation and lateral movement within Amazon Web Services (AWS) environments by abusing the ability to associate or replace IAM instance profiles on running EC2 instances. An attacker with the necessary permissions (\u003ccode\u003eec2:AssociateIamInstanceProfile\u003c/code\u003e or \u003ccode\u003eec2:ReplaceIamInstanceProfile\u003c/code\u003e and typically \u003ccode\u003eiam:PassRole\u003c/code\u003e) can elevate the privileges of a compromised EC2 instance. This is achieved by attaching a more privileged IAM role to the instance, granting the attacker access to resources and permissions beyond their initial scope. The event is logged in AWS CloudTrail, providing a critical detection opportunity for security teams.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a running EC2 instance with limited privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies or creates a more privileged IAM role that grants broader access to AWS resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAssociateIamInstanceProfile\u003c/code\u003e or \u003ccode\u003eReplaceIamInstanceProfile\u003c/code\u003e API calls to associate the privileged IAM role with the target EC2 instance. This requires appropriate IAM permissions.\u003c/li\u003e\n\u003cli\u003eThe EC2 instance\u0026rsquo;s metadata service now provides credentials for the newly associated IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data or resources, potentially including other EC2 instances, databases, or storage buckets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the AWS environment, compromising additional resources and escalating their access.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as exfiltrating data, deploying malicious code, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to elevate privileges within the AWS environment, potentially leading to unauthorized access to sensitive data, lateral movement to other systems, and disruption of critical services. The impact could range from data breaches and financial losses to reputational damage and regulatory fines. Identifying and responding to these events quickly is crucial to minimizing potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS EC2 Instance Profile Associated with Running Instance\u0026rdquo; to your SIEM using AWS CloudTrail logs to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM permissions related to \u003ccode\u003eec2:AssociateIamInstanceProfile\u003c/code\u003e and \u003ccode\u003eec2:ReplaceIamInstanceProfile\u003c/code\u003e to limit who can modify instance profiles.\u003c/li\u003e\n\u003cli\u003eEnable CloudTrail logging for all regions in your AWS account to ensure comprehensive audit coverage.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles for IAM roles assigned to EC2 instances to minimize the impact of potential privilege escalation.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address, user identity, and the IAM role associated with the instance profile.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-ec2-instance-profile-association/","summary":"An attacker may escalate privileges by associating a compromised EC2 instance with a more privileged IAM instance profile.","title":"AWS EC2 Instance Profile Associated with Running Instance","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ec2-instance-profile-association/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["psexec","lateral-movement","execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003ePsExec is a legitimate remote administration tool developed by Microsoft as part of the Sysinternals Suite, enabling the execution of commands with both regular and SYSTEM privileges on Windows systems. It functions by executing a service component, \u003ccode\u003ePsexecsvc.exe\u003c/code\u003e, on a remote system, which then runs a specified process and returns the results to the local system. While commonly used by administrators, adversaries frequently abuse PsExec for lateral movement and to execute commands as SYSTEM, effectively disabling defenses and bypassing security protections. This detection identifies instances where the PsExec service component is executed using a custom name, a tactic employed to evade security controls or detections targeting the default PsExec service component name. The rule was last updated on 2026-05-04 and covers Elastic Defend, Windows, M365 Defender, and Crowdstrike data sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network (e.g., via phishing or exploiting a public-facing application).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a renamed version of \u003ccode\u003epsexesvc.exe\u003c/code\u003e to a compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like the standard \u003ccode\u003ePsExec.exe\u003c/code\u003e to initiate a remote connection to a target system.\u003c/li\u003e\n\u003cli\u003ePsExec attempts to copy the renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e to the ADMIN$ share on the target system.\u003c/li\u003e\n\u003cli\u003eThe renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e is executed as a service on the remote host.\u003c/li\u003e\n\u003cli\u003eThe renamed service executes commands specified by the attacker with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe results of the commands are returned to the originating system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command execution for lateral movement, data exfiltration, or further compromise of the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete compromise of the target system and potentially the entire network. By executing commands with SYSTEM privileges, attackers can disable security controls, install malware, steal sensitive data, or move laterally to other critical systems. The use of a renamed PsExec executable demonstrates an attempt to evade detection, increasing the likelihood of a successful breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Execution via Renamed PsExec Executable\u0026rdquo; to your SIEM and tune for your environment to detect the execution of renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e executables.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule promptly, focusing on the commands executed and the target systems involved.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB connections originating from unusual or untrusted systems, which could indicate PsExec usage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-renamed-psexec/","summary":"Detects suspicious PsExec activity where the PsExec service component is executed using a custom name, indicating an attempt to evade detections that look for the default PsExec service component name.","title":"Suspicious Process Execution via Renamed PsExec Executable","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-psexec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["execution","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe detection rule identifies suspicious PowerShell activity related to scheduled tasks. Adversaries exploit Task Scheduler to execute malicious scripts, facilitating lateral movement or remote discovery. The rule monitors for the Task Scheduler DLL load within PowerShell processes (powershell.exe, pwsh.exe, powershell_ise.exe) followed by outbound RPC connections, signaling potential misuse. This activity may be indicative of attackers leveraging scheduled tasks for remote execution or reconnaissance within a compromised network. The detection logic focuses on the sequence of loading \u003ccode\u003etaskschd.dll\u003c/code\u003e and initiating an RPC connection to port 135, a common port for Distributed Component Object Model (DCOM) communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to interact with the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003ePowerShell process (powershell.exe, pwsh.exe, or powershell_ise.exe) loads the \u003ccode\u003etaskschd.dll\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a scheduled task using PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload.\u003c/li\u003e\n\u003cli\u003ePowerShell initiates an outbound RPC connection on port 135.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, potentially leading to lateral movement or remote discovery.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining control of additional systems or gathering sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized remote code execution, lateral movement within the network, and the potential compromise of sensitive data. The creation or modification of scheduled tasks can provide persistence for attackers, allowing them to maintain access to compromised systems even after reboots. The impact includes potential data breaches, system compromise, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) and Event ID 3 (Network Connection) logging to detect the specific activity described in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Outbound Scheduled Task Activity via PowerShell\u0026rdquo; to your SIEM and tune the \u003ccode\u003emaxspan\u003c/code\u003e value based on your environment\u0026rsquo;s typical activity patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the specific PowerShell commands used and the scheduled tasks created or modified.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 135 originating from PowerShell processes, and correlate with other security events to identify suspicious patterns.\u003c/li\u003e\n\u003cli\u003eImplement stricter controls on the creation and modification of scheduled tasks, limiting access to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview and clean up any unauthorized scheduled tasks on systems to prevent persistent malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-scheduled-task-powershell/","summary":"This rule detects PowerShell loading the Task Scheduler COM DLL followed by an outbound RPC network connection, potentially indicating lateral movement or remote discovery via scheduled tasks.","title":"Suspicious Outbound Scheduled Task Activity via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-scheduled-task-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies remote scheduled task creations on a target host, which can be indicative of lateral movement. Adversaries often leverage scheduled tasks to execute malicious commands, maintain persistence, or escalate privileges. This technique is particularly effective as it uses native Windows functionality, making it harder to distinguish from legitimate administrative actions. This rule is designed for data generated by Elastic Defend and also supports third-party data sources such as SentinelOne Cloud Funnel and Sysmon. Understanding when and how scheduled tasks are created remotely is crucial for detecting and responding to potential intrusions. The rule focuses on network connections from svchost.exe and registry modifications related to task actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to scan the network for potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to a target Windows host using stolen credentials or by exploiting a vulnerability in a network service.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a network connection to the target host\u0026rsquo;s Task Scheduler service, typically using ports in the dynamic port range (49152+). This connection originates from svchost.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new scheduled task on the target system using the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003eThis creation involves modifying the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{TaskID}\\Actions\u003c/code\u003e to define the task\u0026rsquo;s actions. The \u0026lsquo;Actions\u0026rsquo; value is often base64 encoded.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a malicious payload, granting the attacker further access or control over the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly gained access for lateral movement, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive systems, data breaches, and further lateral movement within the network. The rule is designed to catch this activity, reducing the dwell time of attackers and minimizing potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment to detect malicious scheduled task creation.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Sysmon Registry Events to enhance visibility into network connections and registry modifications (see Setup instructions).\u003c/li\u003e\n\u003cli\u003eReview the base64 encoded tasks actions registry value to investigate the task configured action (see rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the scheduled task creation and the intent behind the configured action.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-remote-scheduled-task-creation/","summary":"This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.","title":"Detecting Remote Scheduled Task Creation for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious activity related to credential access on Windows systems. Specifically, it focuses on scenarios where an account with the SeBackupPrivilege (typically associated with the Backup Operators group) remotely accesses the Windows Registry. Attackers can leverage this privilege to bypass access controls and dump the Security Account Manager (SAM) registry hive, which stores password hashes. This activity often precedes credential access and privilege escalation attempts, where the attacker aims to extract sensitive information from the dumped SAM hive to gain unauthorized access to other systems or elevate their privileges within the network. The detection logic looks for a sequence of events: first, a special logon event indicating the use of SeBackupPrivilege, followed by a network share access event targeting the \u0026ldquo;winreg\u0026rdquo; share.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a system, potentially through phishing, exploiting a vulnerability, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges on the compromised system. If the initial access does not grant SeBackupPrivilege, they may exploit vulnerabilities or misconfigurations to gain membership in the Backup Operators group or otherwise acquire the necessary privilege.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSpecial Logon:\u003c/strong\u003e The attacker logs in using an account with the SeBackupPrivilege. This triggers a \u0026ldquo;logged-in-special\u0026rdquo; event (Event ID 4672) with the SeBackupPrivilege listed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Registry Access:\u003c/strong\u003e The attacker uses remote administration tools or scripts to access the registry of a target system remotely, specifically targeting the \u0026ldquo;winreg\u0026rdquo; share. This triggers a file share access event (Event ID 5145).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSAM Hive Dump:\u003c/strong\u003e The attacker uses the SeBackupPrivilege to bypass access controls and copies the SAM registry hive (or portions thereof) to a location accessible to them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Extraction:\u003c/strong\u003e The attacker extracts password hashes from the dumped SAM hive using tools like Mimikatz or other offline password cracking utilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the extracted credentials to move laterally to other systems within the network, gaining access to additional resources and expanding their foothold.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGoal Completion:\u003c/strong\u003e The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials and widespread lateral movement within the network. This could enable attackers to access sensitive data, disrupt critical services, or deploy ransomware, resulting in significant financial losses and reputational damage. Given the sensitivity of the SAM hive, even a single successful compromise can have far-reaching consequences. The impact is especially high in environments with a large number of systems sharing the same domain, as the attacker can potentially compromise a significant portion of the infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable both \u0026ldquo;Audit Detailed File Share\u0026rdquo; and \u0026ldquo;Audit Special Logon\u0026rdquo; Windows audit policies to generate the necessary events for detection, as mentioned in the setup section of the original rule.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious remote registry access attempts utilizing SeBackupPrivilege, and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of SeBackupPrivilege to only those accounts that absolutely require it for legitimate backup operations, minimizing the potential attack surface.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these detections promptly to determine the scope of the compromise and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eMonitor for Event ID 5145 with RelativeTargetName containing \u0026ldquo;winreg\u0026rdquo; along with Event ID 4672 with SeBackupPrivilege to identify potential credential access attempts (see the original rule\u0026rsquo;s \u003ccode\u003equery\u003c/code\u003e field).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-sebackup-winreg-access/","summary":"Detection of remote registry access by an account with SeBackupPrivilege, potentially indicating credential exfiltration attempts via SAM registry hive dumping.","title":"Suspicious Remote Registry Access via SeBackupPrivilege","url":"https://feed.craftedsignal.io/briefs/2024-01-sebackup-winreg-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies suspicious instances of the Remote Desktop Services ActiveX Client (mstscax.dll) being loaded from unusual or unauthorized locations on Windows systems. Attackers may leverage RDP lateral movement techniques by loading this DLL in unauthorized contexts to gain access and control over other systems within the network. The rule focuses on detecting anomalous loading patterns of mstscax.dll outside typical system paths, which can be indicative of malicious lateral movement attempts. This detection is applicable to environments using Elastic Defend and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally using RDP.\u003c/li\u003e\n\u003cli\u003eTo facilitate the RDP connection, the attacker executes a process that loads the mstscax.dll.\u003c/li\u003e\n\u003cli\u003eThe mstscax.dll is loaded from a location outside the standard system paths (e.g., not from C:\\Windows\\System32).\u003c/li\u003e\n\u003cli\u003eThe system logs the image load event, capturing the process and the location from which mstscax.dll was loaded.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the unusual loading of mstscax.dll based on the configured criteria.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a remote desktop session to a target system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the target system, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can allow unauthorized access to sensitive systems and data, leading to potential data breaches, financial losses, and reputational damage. Lateral movement via RDP can allow attackers to expand their control within the network, compromising additional systems and escalating the impact of the attack. Early detection of suspicious mstscax.dll loading can prevent further propagation of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious RDP Client Image Load\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eprocess.executable\u003c/code\u003e exclusions for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) to capture the necessary data for the Sigma rule \u003ccode\u003eSuspicious RDP Client Image Load\u003c/code\u003e to function.\u003c/li\u003e\n\u003cli\u003eReview the process executable path in alerts to determine if \u003ccode\u003emstscax.dll\u003c/code\u003e was loaded from an unusual or unauthorized location.\u003c/li\u003e\n\u003cli\u003eInvestigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts as described in the Overview.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the ability of adversaries to move laterally within the network as described in the Overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-rdp-client-imageload/","summary":"The rule detects suspicious loading of the Remote Desktop Services ActiveX Client (mstscax.dll) from unusual locations, potentially indicating RDP lateral movement on Windows systems.","title":"Suspicious RDP Client Image Load","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-rdp-client-imageload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026ldquo;Spike in Remote File Transfers\u0026rdquo; detection identifies potential lateral movement activity within a network by monitoring for unusual volumes of remote file transfers. Attackers often aim to locate and exfiltrate valuable information after gaining initial access. To evade detection, they may attempt to mimic normal egress activity through numerous small transfers. This detection leverages machine learning to establish a baseline of normal transfer activity and identify deviations that may indicate malicious behavior. The rule requires the Lateral Movement Detection integration assets to be installed. For Elastic Defend events on versions 8.18 and above, \u003ccode\u003ehost.ip\u003c/code\u003e collection must be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a host within the network through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eInternal Reconnaissance: The attacker performs internal reconnaissance to identify valuable data and potential target systems.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses stolen credentials or exploits remote services (T1210) to gain access to other systems on the network.\u003c/li\u003e\n\u003cli\u003eTool Transfer: The attacker transfers malicious tools or scripts (T1570) to the compromised systems to facilitate further actions.\u003c/li\u003e\n\u003cli\u003eData Collection: The attacker gathers sensitive data from the compromised systems.\u003c/li\u003e\n\u003cli\u003eEgress Activity: The attacker initiates numerous small remote file transfers, attempting to blend in with normal network traffic.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker exfiltrates the stolen data to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack involving anomalous file transfers can lead to data exfiltration, intellectual property theft, and reputational damage. Even though the severity is low, undetected lateral movement can escalate quickly into high severity incidents like ransomware or data breaches. This detection focuses on the early stages of lateral movement, allowing security teams to respond before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure host IP collection is enabled in Elastic Defend configurations, following the steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the setup instructions in the rule documentation.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Spike in Remote File Transfers\u0026rdquo; rule, paying close attention to the source and destination of the file transfers.\u003c/li\u003e\n\u003cli\u003eReview authentication logs for signs of compromised accounts, such as unusual login times or locations, as described in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003cli\u003eTune the machine learning job\u0026rsquo;s anomaly threshold based on your environment\u0026rsquo;s baseline activity and false positive analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-spike-remote-file-transfers/","summary":"A machine learning job detects an abnormal volume of remote file transfers, potentially indicating lateral movement by attackers attempting to blend in with normal network egress activity.","title":"Spike in Remote File Transfers via Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-spike-remote-file-transfers/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lateral-movement","exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat brief addresses the potential exfiltration of Windows registry hives via SMB shares, a tactic often employed after credential dumping. Attackers target sensitive hives like the Security Account Manager (SAM) to extract cached credentials. By copying these hives to an attacker-controlled system, they evade local host-based detection and facilitate offline credential decryption. The Elastic detection rule \u003ccode\u003ea4c7473a-5cb4-4bc1-9d06-e4a75adbc494\u003c/code\u003e identifies the creation or modification of registry hive files (identified by the \u0026ldquo;regf\u0026rdquo; header) exceeding 30KB on SMB shares, specifically when performed by the SYSTEM process (PID 4) under a user context associated with system accounts (S-1-5-21 or S-1-12-1). This behavior raises suspicion, particularly when observed outside expected file paths. Defenders should monitor for this activity as it often precedes lateral movement and further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to SYSTEM or a similar high-privilege account.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a credential dumping tool (e.g., \u003ccode\u003ereg save HKLM\\SAM sam.hive\u003c/code\u003e) to extract the SAM registry hive.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ereg save HKLM\\SYSTEM system.hive\u003c/code\u003e to extract the SYSTEM registry hive, enabling decryption of SAM secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to a remote SMB share (e.g., \u003ccode\u003e\\\\attacker.example.com\\share\u003c/code\u003e) from the compromised host.\u003c/li\u003e\n\u003cli\u003eThe SYSTEM process (PID 4) creates or modifies a file on the SMB share, identified as a registry hive by its header (\u0026ldquo;regf\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe exfiltrated registry hive file is larger than 30KB, bypassing size-based filtering.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the exfiltrated SAM and SYSTEM hives to extract user credentials offline, facilitating lateral movement or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of registry hives can lead to widespread credential compromise, enabling attackers to move laterally within the network, access sensitive data, and potentially achieve domain dominance. The impact includes unauthorized access to critical systems, data breaches, and significant disruption of business operations. The number of affected systems directly correlates with the scope of credential access achieved by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Elastic detection rule \u003ccode\u003ea4c7473a-5cb4-4bc1-9d06-e4a75adbc494\u003c/code\u003e or the Sigma rules provided in this brief to your SIEM and tune for your environment to detect registry hive exfiltration attempts.\u003c/li\u003e\n\u003cli\u003eEnable file creation and modification logging on SMB shares, specifically focusing on events associated with the SYSTEM process and registry hive file signatures, to increase visibility.\u003c/li\u003e\n\u003cli\u003eReview and harden SMB share permissions to restrict unauthorized access and prevent credential dumping from remote systems.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly, focusing on identifying the source host, the user account involved, and the destination SMB share.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to mitigate the impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-smb-registry-exfiltration/","summary":"Detection of medium-sized registry hive files being created or modified on Server Message Block (SMB) shares, potentially indicating exfiltration of Security Account Manager (SAM) data for credential extraction.","title":"SMB Registry Hive Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-smb-registry-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["lateral-movement","defense-impairment","persistence","rpc"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on detecting lateral movement attempts that leverage remote procedure calls (RPC) to modify registry keys on target systems. The technique abuses the remote registry protocol to achieve persistence or execute arbitrary code. Defenders can use RPC Firewall logs to identify and block this activity, specifically by monitoring for calls to the Registry Remote Protocol (MS-RRP) interface with specific operation numbers indicative of registry manipulation. This activity is often associated with post-exploitation phases, where attackers attempt to gain a foothold and expand their control within a network. The RPC Firewall detailed in this brief allows for monitoring and blocking of this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the network (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker discovers accessible target systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to connect to the target system\u0026rsquo;s RPC endpoint for the Remote Registry service (UUID 338cd001-2244-31f1-aaaa-900038001003).\u003c/li\u003e\n\u003cli\u003eThe attacker uses RPC calls with operation numbers 6, 7, 8, 13, 18, 19, 21, 22, 23, or 35 to interact with the registry remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies registry keys related to startup programs or services.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of malicious code through the modified registry keys, achieving persistence.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, allowing the attacker to perform actions such as data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence, escalate privileges, and move laterally within the network. This can lead to data theft, system compromise, and disruption of services. If lateral movement succeeds, attackers can gain control over critical assets, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall and configure RPC Firewall on all critical systems, auditing RPC calls to the Registry Remote Protocol interface (UUID 338cd001-2244-31f1-aaaa-900038001003) as described in the \u003ccode\u003edefinition\u003c/code\u003e within the \u003ccode\u003elogsource\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect anomalous RPC calls related to registry modification as outlined in the \u003ccode\u003edetection\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any identified malicious RPC connections using RPC Firewall based on the logs generated and reviewed from the deployed Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-remote-registry-lateral-movement/","summary":"This brief details detection of lateral movement attempts using remote RPC calls to modify the registry, potentially leading to code execution, detected via RPC Firewall logs.","title":"Remote Registry Lateral Movement via RPC Firewall","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-registry-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Firewall","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","windows","netsh","rdp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can leverage the native Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to modify Windows Firewall rules and enable inbound Remote Desktop Protocol (RDP) connections. This can be used as a defense evasion technique to bypass existing firewall restrictions, allowing them to establish remote access to a compromised host. Ransomware operators and other malicious actors frequently utilize RDP to access victim servers, often using privileged accounts, to further their objectives. This activity can be conducted post-compromise to facilitate lateral movement and the deployment of malicious payloads. The behavior was observed being detected by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host through initial access methods (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh\u003c/code\u003e command creates or modifies an inbound rule to allow RDP traffic (TCP port 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RDP connection to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RDP session to perform reconnaissance, move laterally, or deploy malware.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to disable or modify security tools to further evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to unauthorized remote access to systems, enabling lateral movement, data theft, and ransomware deployment. If RDP is enabled on a large number of systems, the attacker can move laterally through the environment. The impact can range from data breaches to complete operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enetsh.exe\u003c/code\u003e executing with arguments related to enabling inbound RDP traffic using the \u0026ldquo;Remote Desktop Enabled in Windows Firewall by Netsh\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to modify firewall rules related to RDP.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview existing firewall rules and remove any unnecessary or overly permissive rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging for enhanced visibility into process execution events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-netsh-rdp-enable/","summary":"Adversaries may use the `netsh.exe` utility to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall, potentially allowing unauthorized remote access to compromised systems.","title":"Netsh Used to Enable Remote Desktop Protocol (RDP) in Windows Firewall","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","data-exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Crowdstrike","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThe threat involves the abuse of the legitimate Windows \u003ccode\u003enet.exe\u003c/code\u003e utility to mount remote shares, including hidden (e.g., administrative shares) and WebDav shares. This activity may signal lateral movement within a network, preparation for data exfiltration, or initial access through reconnaissance of available network resources. The detection focuses on identifying specific command-line patterns used with \u003ccode\u003enet.exe\u003c/code\u003e to mount these shares. While the primary data source for the detection rule is Elastic Defend, it also supports data from CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs. This activity can be masked within normal administrative functions, so tuning and baselining are important.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e to discover available network shares, identifying potential targets for lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003enet.exe\u003c/code\u003e to attempt to mount a hidden or WebDav share, often using stolen credentials or exploiting existing permissions. The command includes \u003ccode\u003euse\u003c/code\u003e and specifies a share path like \u003ccode\u003e\\\\\\\\\u0026lt;server\u0026gt;\\\u0026lt;share\u0026gt;\u003c/code\u003e or \u003ccode\u003ehttp(s)://\u0026lt;server\u0026gt;/\u0026lt;share\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to the remote share, potentially browsing its contents to identify valuable data or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker copies sensitive data from the remote share to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker stages the exfiltrated data on the compromised system, preparing it for transfer to an external location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses another tool or protocol (e.g., FTP, SCP, web upload) to exfiltrate the data to a destination controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker cleans up any traces of their activity on the compromised system and the remote share, attempting to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive data, lateral movement to other systems, and ultimately, data exfiltration. The mounting of hidden shares gives the attacker the ability to move laterally and escalate their privileges. Depending on the data stored on the shares, data breaches and financial losses are possible. Targeted sectors are broad, as \u003ccode\u003enet.exe\u003c/code\u003e is a standard Windows utility.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Mounting Hidden or WebDav Remote Shares\u0026rdquo; rule to your SIEM, tuning it for your environment to minimize false positives and detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, including \u003ccode\u003enet.exe\u003c/code\u003e and its command-line arguments as outlined in the rule description.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any alerts generated by the \u0026ldquo;Mounting Hidden or WebDav Remote Shares\u0026rdquo; rule, focusing on the process details, arguments, and associated user accounts, as suggested in the rule\u0026rsquo;s triage and analysis section.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement possibilities, mitigating the potential impact of successful share mounting as mentioned in the response and remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-mount-remote-shares/","summary":"Adversaries may leverage the `net.exe` utility to mount WebDav or hidden remote shares, potentially indicating lateral movement, data exfiltration preparation, or initial access via discovery of accessible shares.","title":"Mounting of Hidden or WebDav Remote Shares via Net Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-02-mount-remote-shares/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defend for Containers"],"_cs_severities":["high"],"_cs_tags":["container","kubeletctl","lateral-movement","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule detects the execution of \u003ccode\u003ekubeletctl\u003c/code\u003e inside a container. Kubeletctl is a command-line tool that interacts with the Kubelet API directly, making the often undocumented API more accessible. Attackers may use it to enumerate the Kubelet API or other resources within the container, potentially indicating lateral movement within the pod. The detection is based on the \u0026ldquo;Defend for Containers\u0026rdquo; integration (version 9.3.0 and later) within the Elastic stack. This activity is significant because \u003ccode\u003ekubeletctl\u003c/code\u003e can expose pod and node details, enabling actions that facilitate discovery and lateral movement from a compromised container.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, possibly through a vulnerability in the containerized application or a misconfigured Kubernetes environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ekubeletctl\u003c/code\u003e inside the compromised container. This could be facilitated by the tool being present in the container image or downloaded post-compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubeletctl scan\u003c/code\u003e to discover Kubelet endpoints within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003ekubeletctl pods\u003c/code\u003e or \u003ccode\u003ekubeletctl runningpods\u003c/code\u003e to enumerate running pods and their details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered pod information to identify potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to use \u003ccode\u003ekubeletctl exec\u003c/code\u003e or \u003ccode\u003ekubeletctl attach\u003c/code\u003e to gain access to other pods within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to port forward using \u003ccode\u003ekubeletctl portForward\u003c/code\u003e to establish connections to services running in other pods.\u003c/li\u003e\n\u003cli\u003eUpon successful lateral movement, the attacker performs further reconnaissance or deploys malicious payloads to achieve their objectives, such as data exfiltration or denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of \u003ccode\u003ekubeletctl\u003c/code\u003e within a container can lead to the exposure of sensitive information about the Kubernetes cluster, including pod details and internal network configurations. This can enable attackers to move laterally within the cluster, potentially compromising other applications and data. The impact could range from data breaches and service disruptions to full cluster compromise depending on the attacker\u0026rsquo;s objectives and the scope of the compromised container\u0026rsquo;s access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the execution of \u003ccode\u003ekubeletctl\u003c/code\u003e within containers based on process name and arguments.\u003c/li\u003e\n\u003cli\u003eMonitor container network activity for connections to node addresses on Kubelet ports (commonly 10250/10255) and investigate any suspicious patterns.\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict pod-to-node access to the Kubelet API.\u003c/li\u003e\n\u003cli\u003eHarden container images by removing unnecessary tools like \u003ccode\u003ekubeletctl\u003c/code\u003e and enforce least privilege principles.\u003c/li\u003e\n\u003cli\u003eEnable and review Kubernetes audit logs to identify the source of interactive sessions into containers, correlating with timestamps of \u003ccode\u003ekubeletctl\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnforce Pod Security Standards to restrict privileged pods and limit node API exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kubeletctl-container-execution/","summary":"This rule detects the execution of kubeletctl inside a container, which can be used to enumerate the Kubelet API or other resources inside the container, potentially indicating lateral movement attempts within the pod.","title":"Kubeletctl Execution Inside Container Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-kubeletctl-container-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","identity-protection","impossible-travel","account-compromise","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects \u0026ldquo;impossible travel\u0026rdquo; events within Azure Active Directory (Azure AD), a common indicator of account compromise. The scenario involves a user account exhibiting login activity from two geographically distant locations in a timeframe that makes physical travel between them impossible. This anomalous behavior often signifies that an attacker has gained unauthorized access to the account and is operating from a different location than the legitimate user. The rule leverages Azure AD Identity Protection\u0026rsquo;s risk detection capabilities to identify such instances. This detection is crucial for defenders as it highlights potential breaches and enables swift remediation actions to prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials, potentially through phishing (T1566), credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Azure AD from a geographic location different from the legitimate user\u0026rsquo;s typical location.\u003c/li\u003e\n\u003cli\u003eShortly after the initial authentication, the legitimate user authenticates to Azure AD from their usual location.\u003c/li\u003e\n\u003cli\u003eAzure AD Identity Protection flags the activity as \u0026ldquo;impossible travel\u0026rdquo; due to the conflicting geographic locations and the short timeframe between the authentications.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;impossibleTravel\u0026rdquo; risk event is logged within Azure AD\u0026rsquo;s risk detection logs.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges within the compromised account (T1068) to gain broader access to resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may move laterally within the organization (T1021) to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s ultimate goal could be data exfiltration, financial theft, or disruption of services, depending on the organization\u0026rsquo;s profile.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful \u0026ldquo;impossible travel\u0026rdquo; attack can lead to a full compromise of the user\u0026rsquo;s account, granting the attacker access to sensitive data, internal systems, and other resources accessible to the user. Depending on the user\u0026rsquo;s role and permissions, the impact could range from data breaches to financial losses and significant reputational damage. Organizations in all sectors are vulnerable, with a higher risk for those handling sensitive data or operating critical infrastructure. The number of affected users depends on the attacker\u0026rsquo;s ability to move laterally and escalate privileges after compromising the initial account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026ldquo;impossible travel\u0026rdquo; events flagged by Azure AD Identity Protection, focusing on the \u003ccode\u003eriskEventType: 'impossibleTravel'\u003c/code\u003e (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts promptly, focusing on the user account involved and the geographic locations of the login attempts (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eReview and enhance user training programs to educate employees on the risks of phishing and credential compromise (T1566).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of unauthorized access even if credentials are compromised (T1110).\u003c/li\u003e\n\u003cli\u003eReview and adjust the sensitivity of Azure AD Identity Protection\u0026rsquo;s risk detection policies to align with your organization\u0026rsquo;s risk tolerance.\u003c/li\u003e\n\u003cli\u003eConsider implementing conditional access policies that restrict access based on geographic location or require MFA for logins from unfamiliar locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-impossible-travel/","summary":"This brief describes the detection of 'impossible travel' events in Azure AD, where a user appears to log in from geographically distant locations within an implausibly short time frame, potentially indicating account compromise.","title":"Impossible Travel Detection in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-impossible-travel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SCCM"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Pella Corporation","AdminArsenal","ESET","Veeam"],"content_html":"\u003cp\u003eThis detection rule identifies the remote execution of Windows services over Remote Procedure Call (RPC), a technique often employed for lateral movement within a network. The rule focuses on correlating network connections initiated by \u003ccode\u003eservices.exe\u003c/code\u003e with subsequent child process creation events. While this activity can be a legitimate function of administrators using remote management tools, it also represents a potential attack vector. The rule aims to strike a balance between detecting malicious activity and minimizing false positives arising from routine administrative tasks. The detection logic is based on identifying network connections to \u003ccode\u003eservices.exe\u003c/code\u003e followed by the creation of child processes that are not commonly associated with legitimate service management. The rule requires the use of Elastic Defend or Sysmon for adequate logging coverage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the target system\u0026rsquo;s \u003ccode\u003eservices.exe\u003c/code\u003e process over RPC using a high port (\u0026gt;= 49152).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established RPC connection to create or start a new service on the remote system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservices.exe\u003c/code\u003e process on the remote system spawns a child process related to the newly created or started service.\u003c/li\u003e\n\u003cli\u003eThis new process executes the attacker\u0026rsquo;s payload, potentially granting further access or executing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly executed service for persistent access or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.\u003c/li\u003e\n\u003cli\u003eConsider excluding known remote management tools from triggering the detection by adding exceptions based on \u003ccode\u003eprocess.executable\u003c/code\u003e or \u003ccode\u003eprocess.args\u003c/code\u003e in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eMonitor the network for unusual RPC activity, especially connections to \u003ccode\u003eservices.exe\u003c/code\u003e from unexpected source IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-remote-service-execution/","summary":"Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.","title":"Remote Execution of Windows Services via RPC","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the detection of high variance in Remote Desktop Protocol (RDP) session durations using machine learning. The detection, implemented in Elastic Security\u0026rsquo;s Lateral Movement Detection integration, aims to identify anomalous RDP usage patterns that may indicate malicious activity. Adversaries might establish long RDP sessions to maintain persistence and move laterally within a network. The prebuilt Elastic ML job \u0026ldquo;lmd_high_var_rdp_session_duration_ea\u0026rdquo; analyzes RDP session data to identify unusual deviations in session lengths, which could signify unauthorized access or malicious exploitation of compromised systems. The rule is triggered when the anomaly score exceeds a threshold of 70. Defenders should investigate any alerts generated by this rule to determine if the RDP sessions are legitimate or indicative of malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a system via phishing or exploiting a vulnerability (not detailed in the source).\u003c/li\u003e\n\u003cli\u003eRDP Enabled: The attacker enables RDP on the compromised host or utilizes existing RDP configurations.\u003c/li\u003e\n\u003cli\u003eCredential Theft: The attacker steals credentials from the initially compromised system (not detailed in the source).\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the stolen credentials, the attacker establishes an RDP session to another host within the network.\u003c/li\u003e\n\u003cli\u003eSession Persistence: The attacker maintains a long and variable RDP session to the target host, potentially evading detection mechanisms.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges on the target host to gain further control (not detailed in the source).\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Malware Deployment: The attacker uses the established RDP session to exfiltrate sensitive data or deploy malware to other systems (not detailed in the source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and potential deployment of malware or ransomware. While the exact number of potential victims is unknown, organizations that heavily rely on RDP for remote access are particularly vulnerable. This can disrupt business operations, lead to data breaches, and cause significant financial losses. The low severity of this rule reflects its nature as an anomaly detection rather than a signature-based detection of confirmed malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure \u003ccode\u003ehost.ip\u003c/code\u003e field is populated for Elastic Defend events by following the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the setup section of the rule.\u003c/li\u003e\n\u003cli\u003eReview and tune the anomaly threshold in the \u0026ldquo;High Variance in RDP Session Duration\u0026rdquo; rule in Elastic to minimize false positives based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;High Variance in RDP Session Duration\u0026rdquo; rule by following the triage steps outlined in the rule\u0026rsquo;s note section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-high-rdp-variance/","summary":"A machine learning job has detected unusually high variance of RDP session duration, potentially indicating lateral movement and session persistence by threat actors.","title":"High Variance in RDP Session Duration Detected via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-high-rdp-variance/"}],"language":"en","title":"CraftedSignal Threat Feed — Lateral Movement","version":"https://jsonfeed.org/version/1.1"}