{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/living-off-the-land/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Crowdstrike Dashboard"],"_cs_severities":["high"],"_cs_tags":["living-off-the-land","rtr","script-execution"],"_cs_type":"advisory","_cs_vendors":["Splunk","CrowdStrike"],"content_html":"\u003cp\u003eThis threat brief addresses the abuse of Crowdstrike Real Time Response (RTR) functionality to execute arbitrary commands on managed hosts. Attackers with access to a Crowdstrike Dashboard can use the \u0026ldquo;runscript\u0026rdquo; command to execute scripts, often PowerShell, on remote systems. This is particularly concerning because it allows attackers to leverage a trusted platform for malicious purposes, potentially bypassing traditional security controls. The encoded commands within PowerShell obfuscate the attacker\u0026rsquo;s actions, making detection more challenging. This technique has been observed in past campaigns where threat actors target SaaS applications, highlighting the potential for significant impact on organizations relying on these services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to the Crowdstrike Dashboard.\u003c/li\u003e\n\u003cli\u003eAttacker uses the RTR \u0026ldquo;runscript\u0026rdquo; command to initiate a PowerShell script execution on a target host.\u003c/li\u003e\n\u003cli\u003eThe RTR process spawns \u003ccode\u003edllhost.exe\u003c/code\u003e to execute the script.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edllhost.exe\u003c/code\u003e initiates \u003ccode\u003epowershell.exe\u003c/code\u003e with encoded command parameters (\u003ccode\u003e-EncodedCommand\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePowerShell executes the attacker-controlled, obfuscated script.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious activities such as reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eResults of the script execution may be returned to the attacker via command and control channels.\u003c/li\u003e\n\u003cli\u003eAttacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete compromise of targeted systems. An attacker with RTR access can use this technique to bypass normal endpoint security controls. This can result in data breaches, financial losses, and reputational damage. The impact is amplified by the trust relationship between Crowdstrike and its managed endpoints, making detection and prevention more difficult.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Crowdstrike RTR PowerShell EncodedCommand Execution\u003c/code\u003e to identify suspicious PowerShell executions originating from Crowdstrike RTR.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1) and filter for PowerShell processes with encoded commands (\u003ccode\u003e-EncodedCommand\u003c/code\u003e) where the parent process is \u003ccode\u003edllhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and restrict Crowdstrike Dashboard access to only authorized personnel to prevent unauthorized use of RTR.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Crowdstrike Dashboard accounts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Crowdstrike RTR PowerShell EncodedCommand Execution - Alternate\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-crowdstrike-rtr-script-execution/","summary":"Detection of PowerShell execution initiated via Crowdstrike Real Time Response (RTR) 'runscript' command, potentially indicating malicious actors leveraging compromised Crowdstrike Dashboard access to execute commands on remote hosts using encoded commands.","title":"Crowdstrike RTR Script Execution via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-crowdstrike-rtr-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Visual Studio"],"_cs_severities":["high"],"_cs_tags":["living-off-the-land","defense-evasion","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies a suspicious process execution pattern where \u003ccode\u003ewmiprvse.exe\u003c/code\u003e (the WMI Provider Host process) spawns \u003ccode\u003emsbuild.exe\u003c/code\u003e. This behavior is atypical because \u003ccode\u003emsbuild.exe\u003c/code\u003e is usually initiated by \u003ccode\u003edevenv.exe\u003c/code\u003e (Visual Studio) during software development. An adversary might leverage this technique to proxy execution of malicious code through a trusted Windows utility, a tactic known as \u0026ldquo;Living off the Land.\u0026rdquo; The activity is significant because it allows attackers to execute arbitrary code or scripts without directly introducing new executables, potentially leading to system compromise or further malicious activities, such as lateral movement and data exfiltration. The detection focuses on process relationships and command-line executions observed on Windows endpoints. This technique has been observed in campaigns such as the Storm-2460 CLFS Zero Day Exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to execute a malicious command or script.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmiprvse.exe\u003c/code\u003e is invoked as part of the WMI execution process.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious project file or uses an existing one to execute code through MSBuild.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmiprvse.exe\u003c/code\u003e spawns \u003ccode\u003emsbuild.exe\u003c/code\u003e to build and execute the malicious project.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsbuild.exe\u003c/code\u003e executes the attacker\u0026rsquo;s code, potentially downloading additional payloads or executing commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution within the context of MSBuild, bypassing some application control defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further malicious activities such as credential theft, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code, escalate privileges, and bypass application control mechanisms. This can lead to full system compromise, data theft, and further propagation within the network. The number of affected systems depends on the scope of the initial compromise. Successful attacks leveraging this technique have been observed to facilitate lateral movement and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process relationships for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious MSBuild Spawned by WMI Provider\u003c/code\u003e to your SIEM to detect anomalous process spawns.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ewmiprvse.exe\u003c/code\u003e spawns \u003ccode\u003emsbuild.exe\u003c/code\u003e, focusing on the executed command-line arguments and project files.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emsbuild.exe\u003c/code\u003e to authorized users and processes.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious network connections originating from \u003ccode\u003emsbuild.exe\u003c/code\u003e processes using a network intrusion detection system (NIDS).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-03-msbuild-spawn/","summary":"The analytic identifies instances where wmiprvse.exe spawns msbuild.exe, an unusual process relationship indicative of potential COM object misuse and unauthorized code execution on Windows systems.","title":"Suspicious MSBuild Spawned by WMI Provider Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msbuild-spawn/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["msbuild","lolbas","living-off-the-land","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers commonly abuse msbuild.exe, a legitimate Microsoft build tool, to execute malicious code while bypassing security controls. This technique, known as \u0026ldquo;Living off the Land,\u0026rdquo; allows threat actors to utilize trusted system binaries to perform malicious actions. This analytic focuses on detecting instances where msbuild.exe is executed from a non-standard path. This deviation from the expected execution path is a strong indicator of malicious activity, as legitimate uses typically involve the standard installation directory. Identifying and responding to these anomalous executions can prevent attackers from gaining a foothold and escalating their attacks. This detection is relevant across various attack scenarios, including malware deployment, privilege escalation, and lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through various methods (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eFile Dropping: A malicious payload or script is dropped onto the system.\u003c/li\u003e\n\u003cli\u003eMSBuild Download: Attacker downloads a malicious .csproj file or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eEvade defenses: The attacker copies msbuild.exe to a non-standard path.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes msbuild.exe from the non-standard path, pointing it to the malicious .csproj file.\u003c/li\u003e\n\u003cli\u003eCode Execution: MSBuild parses the project file and executes the embedded malicious code or commands.\u003c/li\u003e\n\u003cli\u003ePersistence/Lateral Movement: Depending on the executed code, the attacker establishes persistence or moves laterally within the network.\u003c/li\u003e\n\u003cli\u003eObjective Achieved: The attacker achieves their objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, system compromise, data exfiltration, and further malicious activities. The execution of msbuild.exe from a non-standard path is often a precursor to more serious attacks, including ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Suspicious MSBuild Execution from Non-Standard Path\u0026rdquo; to detect msbuild.exe execution from unusual locations based on process creation logs.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments via Sysmon or other EDR solutions to ensure accurate detection of msbuild.exe execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the parent process, command-line arguments, and destination IP addresses.\u003c/li\u003e\n\u003cli\u003eBaseline MSBuild.exe usage within your environment to identify legitimate uses and filter them from the detection logic.\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from msbuild.exe processes launched from non-standard paths to identify potential command and control activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-msbuild-non-standard-path/","summary":"Detection of msbuild.exe execution from a non-standard path, indicating potential attempts to evade detection and execute malicious code.","title":"Suspicious MSBuild Execution from Non-Standard Path","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msbuild-non-standard-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["living-off-the-land","proxy-execution","endpoint"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe Microsoft Workflow Compiler (microsoft.workflow.compiler.exe) is a legitimate Microsoft executable, but its usage is uncommon in typical environments. This makes it an attractive target for attackers looking to bypass security controls and execute malicious code. Located in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319, the executable is designed for compiling workflow definitions, but can be abused to execute arbitrary code. Its rare usage means that any execution of this binary warrants further investigation. This activity is often seen after initial compromise, as an attempt to establish persistence or execute payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through exploitation of a vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an existing scripting capability (e.g., PowerShell) to stage the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker executes microsoft.workflow.compiler.exe to compile and execute a malicious workflow definition.\u003c/li\u003e\n\u003cli\u003eThe workflow definition contains embedded code or calls out to external resources to download and execute additional payloads.\u003c/li\u003e\n\u003cli\u003eThe compiled code executes in the context of the workflow compiler process, potentially bypassing application whitelisting.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task or modifying registry keys to automatically execute the malicious workflow on system startup.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement using the compromised system as a pivot point to access other systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to execute arbitrary code, bypass application whitelisting, and establish persistence on compromised systems. The lack of widespread usage of the Microsoft Workflow Compiler makes its malicious use difficult to detect, potentially allowing attackers to maintain a foothold in the environment for extended periods. If the attacker achieves persistence and lateral movement, it could lead to data exfiltration, ransomware deployment, or other significant security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Microsoft Workflow Compiler Execution\u003c/code\u003e to detect the execution of \u003ccode\u003emicrosoft.workflow.compiler.exe\u003c/code\u003e with unusual parent processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) or Windows Event Log Security (4688) to ensure the necessary telemetry for the detection is available.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003emicrosoft.workflow.compiler.exe\u003c/code\u003e execution, paying close attention to the parent process, command-line arguments, and network activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution data for unusual parent-child process relationships involving \u003ccode\u003emicrosoft.workflow.compiler.exe\u003c/code\u003e, especially if the parent process is a scripting engine like PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003esuspicious_microsoft_workflow_compiler_usage_filter\u003c/code\u003e macro in the original Splunk search to reduce false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-workflow-compiler/","summary":"The use of Microsoft Workflow Compiler (microsoft.workflow.compiler.exe), a rarely utilized executable typically found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319, can indicate malicious intent such as code execution or persistence mechanisms, potentially leading to unauthorized access.","title":"Suspicious Microsoft Workflow Compiler Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-workflow-compiler/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Microsoft.Workflow.Compiler.exe"],"_cs_severities":["high"],"_cs_tags":["lolbin","defense-evasion","living-off-the-land","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the suspicious renaming of the Microsoft Workflow Compiler (microsoft.workflow.compiler.exe), a legitimate but rarely used executable typically found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. Attackers may rename this file to masquerade malicious activity and bypass security solutions that rely on file name-based detection. This technique can be employed by various threat actors, including ransomware groups like BlackByte, to execute arbitrary code, escalate privileges, and maintain persistence on compromised systems. The LOLBAS Project documents this binary as a potential avenue for malicious code execution. This activity is significant because it represents a living-off-the-land tactic (LOTL) that is harder to detect than custom malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies Microsoft.Workflow.Compiler.exe in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319.\u003c/li\u003e\n\u003cli\u003eThe attacker renames Microsoft.Workflow.Compiler.exe to a different name (e.g., svchost.exe) using a command-line tool like \u003ccode\u003erename\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed executable with malicious parameters or a payload.\u003c/li\u003e\n\u003cli\u003eThe renamed Microsoft Workflow Compiler executes arbitrary code, bypassing file name-based security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation by exploiting the trust associated with the original executable.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by scheduling the renamed executable to run automatically.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally, exfiltrate data, or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful renaming and execution of the Microsoft Workflow Compiler can lead to significant compromise, allowing attackers to bypass security measures and execute arbitrary code. This can lead to privilege escalation, persistence, and further malicious activities such as data theft or ransomware deployment. The BlackByte ransomware group has been known to use similar LOLBIN techniques, and the ease of renaming the file makes it a popular choice for attackers looking to evade detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1 or Windows Event Log Security 4688) for the execution of renamed Microsoft Workflow Compiler processes using the provided Sigma rule \u003ccode\u003eDetect Suspicious Microsoft Workflow Compiler Execution\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions to collect and analyze process telemetry, including process names, original file names, parent processes, and command-line arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Microsoft Workflow Compiler Rename\u003c/code\u003e to identify instances where \u003ccode\u003eMicrosoft.Workflow.Compiler.exe\u003c/code\u003e is renamed.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, paying close attention to the parent processes, command-line arguments, and destination hosts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-workflow-compiler-rename/","summary":"Detection of the renaming of microsoft.workflow.compiler.exe, a technique used by attackers to evade security controls and potentially execute arbitrary code for privilege escalation or persistence.","title":"Suspicious Microsoft Workflow Compiler Rename","url":"https://feed.craftedsignal.io/briefs/2024-01-03-workflow-compiler-rename/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows"],"_cs_severities":["high"],"_cs_tags":["netsh","living-off-the-land","persistence","network-configuration"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the anomalous execution of \u003ccode\u003enetsh.exe\u003c/code\u003e, a command-line utility native to Windows operating systems used for network configuration. While legitimate use of \u003ccode\u003enetsh.exe\u003c/code\u003e exists, its invocation by uncommon processes can signify malicious activity, such as establishing persistence or modifying network settings. This activity has been observed in attacks attributed to Volt Typhoon, where it was used for \u0026ldquo;living off the land\u0026rdquo; tactics targeting US critical infrastructure, and in malware campaigns involving Azorult, Snake Keylogger, ShrinkLocker, and Hellcat Ransomware. Defenders should monitor for unexpected processes launching \u003ccode\u003enetsh.exe\u003c/code\u003e to identify potential threats within their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a process (e.g., a script interpreter or legitimate application) to execute \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e is invoked with specific commands to modify network configurations (e.g., adding firewall rules, configuring port forwarding, or changing DNS settings).\u003c/li\u003e\n\u003cli\u003eThese network configuration changes facilitate further malicious activities, such as lateral movement, command and control communication, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eMalicious helper DLLs are loaded through \u003ccode\u003enetsh.exe\u003c/code\u003e to maintain persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a foothold to move laterally within the network, targeting critical assets.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via anomalous \u003ccode\u003enetsh.exe\u003c/code\u003e execution can lead to significant network compromise, including persistent access for attackers, unauthorized modification of network settings, and potential privilege escalation. This can result in data breaches, service disruption, and reputational damage. The Volt Typhoon campaign targeted US critical infrastructure, demonstrating the potential for significant impact on national security. Multiple malware families including Azorult, Snake Keylogger, ShrinkLocker, and Hellcat Ransomware have been known to abuse \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events (Sysmon Event ID 1, Windows Event Log Security 4688) for the execution of \u003ccode\u003enetsh.exe\u003c/code\u003e by unusual parent processes.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Processes Launching Netsh\u003c/code\u003e to identify suspicious invocations of \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003enetsh.exe\u003c/code\u003e is launched with network configuration-related commands.\u003c/li\u003e\n\u003cli\u003eReview and audit existing \u003ccode\u003enetsh.exe\u003c/code\u003e configurations to identify any unauthorized or malicious changes.\u003c/li\u003e\n\u003cli\u003eConsider blocking execution of \u003ccode\u003enetsh.exe\u003c/code\u003e where it is not required for legitimate business operations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Netsh Helper DLL Load\u003c/code\u003e to detect malicious DLL loading by netsh.exe.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-netsh-abuse/","summary":"Detection of netsh.exe execution by unusual processes indicative of potential malicious activity, including persistence and network configuration changes by threat actors.","title":"Detection of Processes Launching netsh.exe for Malicious Purposes","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed — Living-Off-the-Land","version":"https://jsonfeed.org/version/1.1"}