{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/masquerading/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["data-exfiltration","rclone","masquerading"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are leveraging Rclone, a legitimate command-line program to manage files on cloud storage, for malicious purposes. The primary abuse case involves renaming Rclone (e.g., to TrendFileSecurityCheck.exe) to evade detection based on process name. Once renamed, attackers use Rclone\u0026rsquo;s copy/sync functionalities with cloud backends like S3 or HTTP endpoints. They often employ \u003ccode\u003e--include\u003c/code\u003e filters to target specific sensitive file types for exfiltration. This activity is frequently blended with regular administrative traffic to further obfuscate the malicious intent. Defenders should be aware of this tactic, particularly when unusual processes are observed interacting with cloud storage services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an undisclosed method.\u003c/li\u003e\n\u003cli\u003eRclone is downloaded or transferred to the victim machine.\u003c/li\u003e\n\u003cli\u003eThe rclone executable is renamed to a benign-sounding name (e.g., TrendFileSecurityCheck.exe) to masquerade as a legitimate system utility.\u003c/li\u003e\n\u003cli\u003eThe attacker configures rclone to connect to a cloud storage backend (e.g., an S3 bucket or HTTP endpoint) controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eA command is executed using the renamed rclone executable, specifying the \u003ccode\u003ecopy\u003c/code\u003e or \u003ccode\u003esync\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe command includes \u003ccode\u003e--include\u003c/code\u003e flags to filter and select specific file types (e.g., documents, source code, databases) for exfiltration.\u003c/li\u003e\n\u003cli\u003eRclone transfers the targeted files from the victim machine to the attacker\u0026rsquo;s cloud storage backend, potentially using the \u003ccode\u003e--transfers\u003c/code\u003e option for faster exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the exfiltrated data from their cloud storage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exfiltration of sensitive data, including proprietary information, customer data, financial records, or intellectual property. The impact can range from reputational damage and financial losses to legal and regulatory repercussions. The scope of damage depends on the sensitivity and volume of the exfiltrated data, the number of affected systems, and the effectiveness of the attacker\u0026rsquo;s filtering criteria.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Rclone Usage\u003c/code\u003e to detect renamed rclone executables executing copy/sync commands.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary process execution data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any process identified by the Sigma rule \u003ccode\u003eSuspicious Rclone Usage\u003c/code\u003e by examining command-line arguments for cloud backend destinations and \u003ccode\u003e--include\u003c/code\u003e filters.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual outbound traffic to cloud storage providers (AWS S3, Azure Blob Storage, Google Cloud Storage) from processes other than approved backup solutions.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or renamed executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rclone-exfiltration/","summary":"Attackers are abusing the legitimate file synchronization tool rclone, often renamed to masquerade as legitimate software, to exfiltrate data to cloud storage or remote endpoints.","title":"Potential Data Exfiltration via Rclone","url":"https://feed.craftedsignal.io/briefs/2026-05-rclone-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies processes executing from directories that masquerade as the legitimate Windows Program Files directories. Attackers may create directories with similar names (e.g., \u0026ldquo;C:\\Program Files Bad\u0026rdquo; or \u0026ldquo;C:\\Program Files(x86) Malicious\u0026rdquo;) to host and execute malicious executables, bypassing security measures that trust the standard Program Files locations. This technique is particularly effective when combined with low-privilege accounts, as it allows attackers to evade detections that whitelist only the standard, trusted Program Files paths. The timeframe for this rule is the last 9 months. This matters to defenders because it highlights a common tactic used to bypass established trust relationships within the Windows operating system, requiring more granular inspection of process execution paths.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new directory that mimics the \u0026ldquo;Program Files\u0026rdquo; or \u0026ldquo;Program Files (x86)\u0026rdquo; directory (e.g., \u0026ldquo;C:\\Program Files Bad\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker copies or downloads malicious executable files into the newly created masquerading directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious executable from the masquerading directory.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the executable and begins its execution, potentially bypassing any allowlisting rules that only check the standard \u0026ldquo;Program Files\u0026rdquo; locations.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, repeating the masquerading technique on other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware infection, data theft, or complete system compromise. The impact is significant, as it undermines the trust placed in the \u0026ldquo;Program Files\u0026rdquo; directory and allows attackers to operate undetected for extended periods. While no specific victim counts are given, the technique is broadly applicable to any Windows environment, especially those relying on simple path-based allowlisting for security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProgram Files Directory Masquerading Detection\u003c/code\u003e to your SIEM to detect suspicious process executions from masquerading directories.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly review and update allowlisting rules to include more specific criteria beyond just the \u0026ldquo;Program Files\u0026rdquo; directory, such as file hashes or digital signatures.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and user accounts associated with the suspicious executions.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in the root directory to detect suspicious folders being created (file_event category)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-program-files-masquerading/","summary":"Adversaries may masquerade malicious executables within directories mimicking the legitimate Windows Program Files directory to evade defenses and execute untrusted code.","title":"Program Files Directory Masquerading","url":"https://feed.craftedsignal.io/briefs/2024-01-program-files-masquerading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eAdversaries may use masquerading techniques to evade defenses and blend into the environment by manipulating the name or location of a file, tricking users into executing malicious code disguised as a benign file type. This rule detects the creation of executable files with multiple extensions, a common method of masquerading. The rule focuses on identifying suspicious file creations that use misleading extensions, specifically targeting files with an \u0026ldquo;.exe\u0026rdquo; extension preceded by common benign extensions. It excludes known legitimate processes to minimize false positives. This activity is relevant for defenders to identify potential threats where adversaries attempt to bypass security measures by disguising malicious files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious executable file with a double extension (e.g., \u0026ldquo;document.pdf.exe\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user downloads or receives the file and attempts to open it.\u003c/li\u003e\n\u003cli\u003eWindows displays the file with the first extension (\u0026ldquo;document.pdf\u0026rdquo;) by default, misleading the user.\u003c/li\u003e\n\u003cli\u003eUpon execution, Windows recognizes the \u0026ldquo;.exe\u0026rdquo; extension and executes the file.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs, potentially deploying malware or performing other unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence or attempts lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware infection, data breaches, and system compromise. This technique bypasses common file type restrictions and user awareness, potentially affecting a wide range of users and systems. While the number of victims is not specified, the impact can be significant, particularly in organizations where users handle sensitive data. The affected sectors are broad, encompassing any organization where users are susceptible to social engineering attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Executable File Creation with Multiple Extensions\u0026rdquo; to your SIEM and tune for your environment to detect the creation of suspicious files with multiple extensions.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) for comprehensive file creation monitoring to improve the effectiveness of the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with double file extensions and encourage caution when opening attachments from unknown sources.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations that may create executables with multiple extensions to reduce false positives, as described in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-executable-file-creation-multiple-extensions/","summary":"Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.","title":"Executable File Creation with Multiple Extensions","url":"https://feed.craftedsignal.io/briefs/2024-01-executable-file-creation-multiple-extensions/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","masquerading","autoit","autohotkey","kix32","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eMalware operators often rename legitimate system and scripting tools to blend in with normal system processes and bypass security measures. This rule specifically detects instances where automation script interpreters like AutoIt, AutoHotkey, and KIX32 have been renamed. By comparing the process name against the original file name embedded in the executable, this detection identifies potential attempts to masquerade malicious scripts as legitimate software. This technique is employed to bypass application whitelisting and other security controls that rely on file names or process names for identification and authorization. This detection is relevant for any Windows environment where these scripting tools are used, as it can highlight potentially malicious activity masked by a common evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops a malicious script (e.g., AutoIt, AutoHotkey, or KIX32 script) onto the target machine.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the legitimate AutoIt, AutoHotkey, or KIX32 interpreter executable to a non-standard name (e.g., \u0026ldquo;svchost.exe\u0026rdquo; or \u0026ldquo;wininit.exe\u0026rdquo;) to masquerade as a legitimate process.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed interpreter, which in turn executes the malicious script.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions, such as downloading additional malware, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system for lateral movement within the network or for data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence on the system to ensure continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful renaming of script interpreters allows attackers to execute malicious scripts undetected, potentially leading to data theft, system compromise, or further propagation within the network. The impact can range from minor disruption to significant financial loss and reputational damage, depending on the attacker\u0026rsquo;s objectives and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Renamed AutoIt Interpreter\u0026rdquo; to your SIEM to detect when AutoIt executables are renamed, focusing on \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Renamed AutoHotkey Interpreter\u0026rdquo; to your SIEM to detect when AutoHotkey executables are renamed, focusing on \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process metadata, as referenced in the rule \u003ccode\u003elogsource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the renamed executable and its associated activity as described in the \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-renamed-autoit/","summary":"Detects the renaming of automation script interpreter processes like AutoIt, AutoHotkey, and KIX32, a tactic used by malware operators to evade detection by obscuring the true nature of the executable.","title":"Renamed Automation Script Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-autoit/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","privilege-escalation","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by WerFault.exe, the Windows Error Reporting tool. Attackers can abuse WerFault by manipulating the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key to execute malicious processes. This technique allows for defense evasion, persistence, and privilege escalation. The detection focuses on WerFault processes with specific command-line arguments (\u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e) known to be used in SilentProcessExit exploitation, while excluding legitimate executables like \u003ccode\u003eInitcrypt.exe\u003c/code\u003e and \u003ccode\u003eHeimdal.Guard.exe\u003c/code\u003e. The rule helps defenders identify potential attempts to hijack the error reporting mechanism for malicious purposes. The monitored data sources include Windows Event Logs, Sysmon, Elastic Defend, Microsoft Defender XDR, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key to specify a malicious process to be executed when a target application crashes. This involves setting the \u003ccode\u003eReportingMode\u003c/code\u003e and \u003ccode\u003eDebugger\u003c/code\u003e values under the \u003ccode\u003eSilentProcessExit\u003c/code\u003e key for the target application.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a crash in the target application or waits for a legitimate crash to occur.\u003c/li\u003e\n\u003cli\u003eWerFault.exe is invoked to handle the application crash.\u003c/li\u003e\n\u003cli\u003eDue to the registry modification, WerFault.exe spawns the attacker-controlled process, passing command-line arguments such as \u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled process executes with the privileges of WerFault.exe, potentially achieving privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe malicious process performs actions such as injecting code into other processes, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as maintaining persistence, escalating privileges, or evading detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to persistence, privilege escalation, and defense evasion. Attackers can use this technique to execute malicious code with elevated privileges, potentially bypassing security controls and gaining unauthorized access to sensitive data and system resources. The number of victims and affected sectors can vary depending on the attacker\u0026rsquo;s objectives and the scope of the initial compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture WerFault.exe child processes (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;WerFault Child Process Masquerading\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key for unauthorized modifications (registry_set event).\u003c/li\u003e\n\u003cli\u003eInvestigate any WerFault.exe processes with command-line arguments \u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e (process_creation event).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-werfault-child-process/","summary":"This rule detects suspicious child processes of WerFault.exe, a Windows error reporting tool, indicating potential abuse of the SilentProcessExit registry key to execute malicious processes stealthily for defense evasion, persistence, and privilege escalation.","title":"Suspicious WerFault Child Process Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-09-werfault-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Intel","IBM"],"content_html":"\u003cp\u003eThis detection identifies process execution from suspicious default Windows directories. Attackers may hide malware in trusted paths to evade defenses, making it difficult for analysts to distinguish between legitimate and malicious activity. The detection focuses on identifying processes running from directories like C:\\PerfLogs, C:\\Users\\Public, and various Windows subdirectories (e.g., C:\\Windows\\Tasks, C:\\Windows\\AppReadiness), where executable files are not typically expected to reside. The detection excludes known legitimate processes like SpeechUXWiz.exe, SystemSettings.exe, TrustedInstaller.exe and other Intel and IBM executables to reduce false positives. This technique is often used to bypass security controls or take advantage of existing exceptions applied to these directories. This activity was observed being used by threat actors in the Siestagraph campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable into a suspicious directory like C:\\Users\\Public or C:\\Windows\\Tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malware from the unusual directory. This might be achieved using \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed malware establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe malware connects to a command-and-control (C2) server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe C2 server instructs the malware to perform reconnaissance on the network.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to move laterally to other systems on the network using techniques like pass-the-hash or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, ransomware deployment, or establishing long-term access to the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, persistence on the system, and further compromise of the network. Attackers can use this technique to bypass security controls and evade detection, potentially leading to data breaches, financial loss, or disruption of services. While the rule itself has a medium severity, the impact of a successful attack using this technique can be severe, depending on the attacker\u0026rsquo;s objectives and the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Process Execution from Unusual Directory\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the process execution is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically Event ID 4688 with command line process auditing, to ensure the Sigma rule has the necessary data to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden permissions on the listed suspicious directories to prevent unauthorized file creation and execution.\u003c/li\u003e\n\u003cli\u003eBlock execution of unsigned or untrusted executables from these directories using application control solutions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-process-execution-from-unusual-directory/","summary":"Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.","title":"Process Execution from Suspicious Windows Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-process-execution-from-unusual-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","masquerading","LOLbins","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies suspicious Windows processes exhibiting high malicious probability scores. The rule leverages machine learning to detect clusters of processes that may be indicative of defense evasion tactics, such as masquerading or the use of LOLbins (Living Off The Land Binaries). Specifically, a supervised ML model (ProblemChild) predicts whether a process is malicious, and an unsupervised ML model assesses the aggregate score of process clusters on a single host. The rule focuses on identifying unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. It was last updated on 2026/04/01 and requires Elastic Stack version 9.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows host through various methods, such as exploiting vulnerabilities or using compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a LOLBin (e.g., PowerShell, cmd.exe, mshta.exe) on the compromised host.\u003c/li\u003e\n\u003cli\u003eMasquerading: The attacker attempts to masquerade the malicious activity by naming or placing the LOLBin within a legitimate system folder.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker utilizes the LOLBin with specific command-line arguments designed to evade detection by traditional signature-based security solutions.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker may attempt to escalate privileges using further LOLBINS or other techniques.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker may use the compromised host to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eCommand and Control (Optional): The attacker may establish command and control (C2) communication with an external server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to various negative impacts, including data breaches, financial loss, and reputational damage. The rule is assigned a low severity, due to it likely being a supplemental detection to other rules. Lateral movement and exfiltration can also be accomplished. There is no information available on the number of victims and specific sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, to collect Windows process events as outlined in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts as suggested in the investigation guide.\u003c/li\u003e\n\u003cli\u003eExamine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading, per the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized or suspicious processes from executing in the future, as advised in the remediation steps.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job (\u003ccode\u003eproblem_child_high_sum_by_host_ea\u003c/code\u003e) to reduce false positives based on your environment\u0026rsquo;s specific characteristics and activity patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-suspicious-windows-process/","summary":"A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, potentially indicating masquerading and defense evasion tactics.","title":"Suspicious Windows Process Cluster Detection via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-windows-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Work Folders","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eWindows Work Folders is a Microsoft file server role that allows users to sync work files between their PCs and a central server. The WorkFolders.exe process, when called, will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share. Attackers can abuse this functionality by placing a malicious executable renamed to control.exe in a location synced by Work Folders, and then triggering WorkFolders.exe. This can lead to the execution of arbitrary code in a manner that bypasses application control policies, as WorkFolders.exe is a signed Microsoft binary. This technique has been observed in the wild and documented by security researchers. This allows attackers to execute code from locations outside the standard Windows directories, evading traditional detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through an unspecified means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious executable and renames it to \u003ccode\u003econtrol.exe\u003c/code\u003e in a directory accessible to Work Folders.\u003c/li\u003e\n\u003cli\u003eThe attacker configures Windows Work Folders to synchronize the directory containing the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim system synchronizes with the Work Folders server, copying the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e to the local machine.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the \u003ccode\u003eWorkFolders.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWorkFolders.exe\u003c/code\u003e executes the \u003ccode\u003econtrol.exe\u003c/code\u003e binary from the synced folder.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003econtrol.exe\u003c/code\u003e executes, performing attacker-defined actions such as establishing persistence, escalating privileges, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution in a potentially elevated context, leveraging a signed Microsoft binary (\u003ccode\u003eWorkFolders.exe\u003c/code\u003e) to bypass security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on a victim\u0026rsquo;s machine, potentially bypassing application control and other security measures. This can lead to a range of malicious activities, including data theft, system compromise, and lateral movement within the network. Given the legitimate use of Work Folders, identifying malicious executions can be challenging, potentially allowing attackers to maintain a persistent foothold. The lack of specific victim counts or industry targeting details in the source material limits a complete assessment of impact scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations where \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is the parent process and \u003ccode\u003econtrol.exe\u003c/code\u003e is the child process, but \u003ccode\u003econtrol.exe\u003c/code\u003e is not located in a standard Windows system directory (Sigma rule: \u0026ldquo;Detect Suspicious WorkFolders Control Execution\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003econtrol.exe\u003c/code\u003e is executed from unusual or user-writable locations, especially if \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is involved (see Attack Chain step 6).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) on Windows systems to capture the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview the Microsoft documentation on Windows Information Protection (WIP) and consider implementing it to encrypt data on PCs using Work Folders.\u003c/li\u003e\n\u003cli\u003eImplement application control policies that restrict the execution of \u003ccode\u003econtrol.exe\u003c/code\u003e to authorized locations (e.g., \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-workfolders-control-execution/","summary":"Attackers can abuse Windows Work Folders to execute a masqueraded control.exe file from untrusted locations, potentially bypassing application controls for defense evasion and privilege escalation.","title":"Signed Proxy Execution via MS Work Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-03-workfolders-control-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the execution of a process with a single-character process name that differs from the original file name. Adversaries often employ this technique during staging, to execute temporary utilities, or to bypass security detections relying on process names. This behavior is typically observed in Windows environments where attackers attempt to masquerade their activities by renaming legitimate utilities to short, less conspicuous names, making it harder to identify malicious processes based on their name alone. The detection leverages process creation events from Elastic Defend, Microsoft Defender XDR, Crowdstrike, and Sysmon to identify such anomalies. The rule was initially created on 2020-11-15 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker renames a legitimate utility (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to a single-character name such as \u003ccode\u003ea.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe renamed utility \u003ccode\u003ea.exe\u003c/code\u003e is executed, potentially without parameters initially, to test execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the renamed utility \u003ccode\u003ea.exe\u003c/code\u003e to execute commands, download additional payloads, or perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe commands executed by \u003ccode\u003ea.exe\u003c/code\u003e might involve further obfuscation techniques to evade detection, such as base64 encoding or encryption.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the renamed utility to establish persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, using the compromised host as a staging point.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to significant compromise of the target system. By renaming legitimate utilities, attackers can bypass standard security measures that rely on process names for detection. This can result in delayed detection, allowing the attacker to perform further malicious activities such as data theft, installation of malware, or lateral movement within the network. While specific numbers are unavailable, this technique has been observed across various organizations, making it a relevant threat for defenders.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Elastic Defend to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Renamed Utility Execution\u0026rdquo; to your SIEM and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process and command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview the osquery queries in the brief for additional context gathering during incident response.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-renamed-utility-short-name/","summary":"This rule detects the execution of renamed utilities with a single-character process name, differing from the original filename, a common technique used by adversaries for staging, executing temporary utilities, or bypassing security detections.","title":"Renamed Utility Executed with Short Program Name","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-utility-short-name/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Error Reporting"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to evade defenses by masquerading malicious processes as legitimate Windows Error Reporting (WER) executables, specifically \u003ccode\u003eWerFault.exe\u003c/code\u003e or \u003ccode\u003eWermgr.exe\u003c/code\u003e. These executables are responsible for handling application crashes and reporting errors to Microsoft. This technique involves launching these executables without command-line arguments and then establishing outgoing network connections. By mimicking the behavior of legitimate WER processes, adversaries can potentially bypass detections that focus on suspicious child process activity or command-line arguments, effectively blending their malicious network activity with normal system operations. This technique has been observed in conjunction with malware campaigns, highlighting the importance of detecting deviations from the expected behavior of WER processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious payload onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eWerFault.exe\u003c/code\u003e or \u003ccode\u003eWermgr.exe\u003c/code\u003e without any command-line arguments. This is an attempt to mimic legitimate WER process behavior.\u003c/li\u003e\n\u003cli\u003eThe masquerading WER process initiates an outgoing network connection to a command-and-control (C2) server. The specific protocol used is not specified.\u003c/li\u003e\n\u003cli\u003eThe C2 server issues commands to the compromised system through the masquerading WER process.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands on the system, potentially including data exfiltration, lateral movement, or further payload deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence on the compromised system, potentially through registry modifications or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system disruption, or establishing a foothold for future attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful masquerading attack can lead to a prolonged period of undetected malicious activity. Victims may experience data breaches, system compromise, and potential financial losses. The targeted systems could be incorporated into a botnet, used for cryptocurrency mining, or further exploited for lateral movement within the network. The lack of command-line arguments makes detection more challenging, allowing attackers to operate with a lower risk of detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for instances of \u003ccode\u003eWerFault.exe\u003c/code\u003e or \u003ccode\u003eWermgr.exe\u003c/code\u003e executed with a single argument and an unusual command line, using the \u0026ldquo;Potential Windows Error Manager Masquerading\u0026rdquo; Sigma rule to detect such events.\u003c/li\u003e\n\u003cli\u003eInvestigate network connections originating from \u003ccode\u003eWerFault.exe\u003c/code\u003e or \u003ccode\u003eWermgr.exe\u003c/code\u003e, especially when the process is launched without arguments.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eCorrelate process creation and network connection events to identify suspicious sequences, as outlined in the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of compromised systems and restrict lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-werfault-masquerading/","summary":"Adversaries may masquerade malicious processes as legitimate Windows Error Reporting processes (WerFault.exe or Wermgr.exe) to evade detection by establishing network connections without arguments, thus blending into normal system activity.","title":"Potential Windows Error Manager Masquerading","url":"https://feed.craftedsignal.io/briefs/2024-01-werfault-masquerading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Slack","WebEx","Teams","Discord","Rocket.Chat","Mattermost","WhatsApp","Zoom","Outlook","Thunderbird"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Slack Technologies","Cisco","Microsoft","Discord","Rocket.Chat Technologies","Mattermost","WhatsApp","Zoom Video Communications","Mozilla"],"content_html":"\u003cp\u003eAttackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications. This involves using names and icons that resemble trusted applications like Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird to trick users and bypass security measures. This technique can be used to conceal malicious activity, bypass allowlists, or trick users into executing malware. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures, which helps in flagging potential threats that mimic trusted communication tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious executable onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the malicious executable to resemble a legitimate communication application, such as \u0026ldquo;slack.exe\u0026rdquo; or \u0026ldquo;Teams.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or removes the code signature of the malicious executable to avoid detection based on trusted publishers.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed and potentially unsigned malicious executable.\u003c/li\u003e\n\u003cli\u003eThe masqueraded process performs malicious actions, such as establishing a reverse shell or downloading additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network, escalating privileges and compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe final objective is to exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful masquerading attacks can lead to significant security breaches, including data theft, system compromise, and financial loss. By disguising malicious processes as legitimate communication apps, attackers can bypass security controls and operate undetected for extended periods. This can result in widespread damage and disruption, as well as reputational damage for the targeted organization. The impact can range from a few compromised systems to a complete network takeover, depending on the attacker\u0026rsquo;s objectives and the effectiveness of the masquerading technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Masquerading as Communication Apps - Generic\u0026rdquo; to your SIEM and tune for your environment to detect unsigned or improperly signed communication applications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Masquerading as Communication Apps - Specific\u0026rdquo; to your SIEM and tune for your environment to detect unsigned or improperly signed instances of specific communication applications.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows systems to capture the necessary events for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview and validate the code signatures of all communication apps on your systems to ensure they are properly signed by trusted entities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-masquerading-communication-apps/","summary":"Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.","title":"Potential Masquerading as Communication Apps","url":"https://feed.craftedsignal.io/briefs/2024-01-masquerading-communication-apps/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may rename legitimate utilities, such as MSBuild, to evade detection, application allowlists, and other security protections. MSBuild, the Microsoft Build Engine, is a platform for building applications. Attackers can abuse MSBuild to proxy the execution of malicious code. The detection rule identifies instances where MSBuild is started after being renamed, indicating a potential attempt to evade detection. The rule focuses on identifying processes where the original file name is MSBuild.exe, but the process name is different, suggesting a renaming attempt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the legitimate MSBuild.exe executable to a different name (e.g., evil.exe) to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed MSBuild executable (evil.exe) with a malicious project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild processes the project file, which contains commands or scripts to be executed.\u003c/li\u003e\n\u003cli\u003eThe malicious commands within the project file are executed by MSBuild, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may use MSBuild to execute PowerShell commands or other scripting languages for lateral movement or further exploitation.\u003c/li\u003e\n\u003cli\u003eMSBuild can be used to modify files, registry entries, or other system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive information, or compromise the entire system. The renaming of MSBuild can bypass standard application allowlisting and detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003eImage\u003c/code\u003e and \u003ccode\u003eOriginalFileName\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Using an Alternate Name\u0026rdquo; to your SIEM and tune for your environment to detect renamed MSBuild executables based on process metadata and command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes with \u003ccode\u003eOriginalFileName\u003c/code\u003e of \u0026ldquo;MSBuild.exe\u0026rdquo; and a different \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of renamed executables, specifically those with an \u003ccode\u003eOriginalFileName\u003c/code\u003e of \u0026ldquo;MSBuild.exe.\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-msbuild-renamed/","summary":"Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.","title":"Microsoft Build Engine Executed After Renaming","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msbuild-renamed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","defense-evasion","windows","process-injection","masquerading","access-token-manipulation","parent-pid-spoofing"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies Windows programs executed with unexpected parent processes, which may indicate masquerading, process injection, or other anomalous behavior. The detection logic focuses on deviations from established parent-child process relationships within the Windows operating system. This rule leverages data from multiple sources, including Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs, to enhance detection coverage. This is important for defenders as unusual parent-child process relationships can be indicative of various malicious activities, including privilege escalation and defense evasion techniques employed by threat actors. The rule aims to provide early detection of potentially malicious activities by identifying deviations from the expected process execution patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious payload that attempts to masquerade as a legitimate process.\u003c/li\u003e\n\u003cli\u003eThe malicious process is launched with an unexpected parent process, deviating from normal Windows process relationships. For example, \u003ccode\u003eautochk.exe\u003c/code\u003e running without \u003ccode\u003esmss.exe\u003c/code\u003e as its parent.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to inject code into other processes for privilege escalation or defense evasion, leveraging techniques like process hollowing.\u003c/li\u003e\n\u003cli\u003eThe injected code gains elevated privileges, allowing the attacker to perform sensitive actions on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting unusual parent-child relationships can lead to privilege escalation, allowing attackers to gain control of the compromised system. This can result in data breaches, system downtime, and financial losses. The rule aims to mitigate these risks by detecting suspicious process executions early in the attack chain. While the exact number of potential victims and sectors targeted is not explicitly mentioned, the broad applicability of Windows systems makes this a widespread threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment to detect unusual parent-child process relationships (see \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in your Windows environment using Sysmon or Windows Security Event Logs to ensure the necessary data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and baseline common parent-child process relationships in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eIntegrate your SIEM with threat intelligence feeds to identify known malicious processes and their associated parent processes.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to collect and analyze process execution data (see \u003ccode\u003esetup\u003c/code\u003e section in the source URL).\u003c/li\u003e\n\u003cli\u003eRefer to the investigation guide linked in the source URL to triage alerts related to unusual parent-child process relationships.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-unusual-parent-child/","summary":"This rule identifies Windows programs run from unexpected parent processes, which could indicate masquerading or other strange activity on a system, potentially indicating process injection, masquerading, access token manipulation, or parent PID spoofing.","title":"Unusual Parent-Child Relationship Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-parent-child/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to evade detection by masquerading as legitimate system processes, specifically \u003ccode\u003esvchost.exe\u003c/code\u003e. The \u003ccode\u003esvchost.exe\u003c/code\u003e process is a critical component of the Windows operating system, responsible for hosting multiple Windows services. By naming a malicious executable \u003ccode\u003esvchost.exe\u003c/code\u003e and placing it in a non-standard directory, attackers aim to blend in with normal system activity and bypass security controls that rely on process names or paths. This technique is particularly effective because \u003ccode\u003esvchost.exe\u003c/code\u003e is a common and trusted process, making it less likely to be scrutinized by users or security software. This detection focuses on identifying processes named \u003ccode\u003esvchost.exe\u003c/code\u003e that are not running from the legitimate Windows system directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable disguised as \u003ccode\u003esvchost.exe\u003c/code\u003e to a non-standard directory, such as \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious \u003ccode\u003esvchost.exe\u003c/code\u003e process from the non-standard location.\u003c/li\u003e\n\u003cli\u003eThe masquerading process attempts to mimic legitimate \u003ccode\u003esvchost.exe\u003c/code\u003e behavior to avoid suspicion.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003esvchost.exe\u003c/code\u003e process may establish network connections to external command-and-control servers.\u003c/li\u003e\n\u003cli\u003eThe process may execute malicious payloads, such as downloading additional malware or performing lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to access sensitive data or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence on the system to ensure continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful masquerading attack can lead to undetected execution of malicious code, allowing attackers to compromise systems, steal data, or establish persistent access. Because the malicious process is disguised as a legitimate system component, it may evade detection by traditional security measures. This can result in significant damage to the affected organization, including data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to capture the execution of processes, including their names and paths.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Svchost Masquerading\u0026rdquo; to detect \u003ccode\u003esvchost.exe\u003c/code\u003e processes running from non-standard locations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the \u003ccode\u003esvchost.exe\u003c/code\u003e process and its activities.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to system files, including the \u003ccode\u003esvchost.exe\u003c/code\u003e executable in the system directories.\u003c/li\u003e\n\u003cli\u003eUse application control lists (ACLs) to restrict the execution of executables from non-standard directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-svchost-masquerading/","summary":"Attackers may attempt to masquerade as the Service Host process `svchost.exe` by executing from non-standard paths to evade detection and blend in with normal system activity.","title":"Potential Masquerading as Svchost","url":"https://feed.craftedsignal.io/briefs/2024-01-svchost-masquerading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Slack","WebEx","Teams","Discord","WhatsApp","Zoom","Outlook","Thunderbird","Grammarly","Dropbox","Tableau","Google Drive","MSOffice","Okta","OneDrive","Chrome","Firefox","Edge","Brave","GoogleCloud Related Tools","Github Related Tools","Notion"],"_cs_severities":["medium"],"_cs_tags":["masquerading","defense-evasion","initial-access","malware","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Slack","Cisco","Microsoft","Discord","Zoom","Mozilla","Grammarly","Dropbox","Tableau","Google","Okta","Brave","GitHub","Notion"],"content_html":"\u003cp\u003eAttackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim\u0026rsquo;s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user visits a compromised website or clicks on a malicious advertisement.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.\u003c/li\u003e\n\u003cli\u003eThe downloaded executable is placed in the user\u0026rsquo;s Downloads folder (e.g., C:\\Users*\\Downloads*).\u003c/li\u003e\n\u003cli\u003eThe user executes the downloaded file.\u003c/li\u003e\n\u003cli\u003eThe executable, lacking a valid code signature, begins execution.\u003c/li\u003e\n\u003cli\u003eThe malicious installer may drop and execute additional malware components.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence, potentially using techniques such as registry key modification.\u003c/li\u003e\n\u003cli\u003eThe malware performs malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003ePotential Masquerading as Business App Installer\u003c/code\u003e to detect unsigned executables resembling legitimate business applications in download directories.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture the execution of unsigned executables.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of downloading and executing files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications.\u003c/li\u003e\n\u003cli\u003eRegularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes originating from the Downloads folder that lack valid code signatures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-masquerading-business-apps/","summary":"Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.","title":"Masquerading Business Application Installers","url":"https://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","rtlo","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThe Right-to-Left Override (RTLO) character (U+202E) is a Unicode character that causes text to be displayed from right to left, instead of the usual left to right. This character can be exploited by attackers to disguise malicious file extensions, making a harmful file appear safe to unsuspecting users. For example, an executable file named \u0026ldquo;evil.exe\u0026rdquo; could be renamed to \u0026ldquo;evilU+202Eegp.txt.exe,\u0026rdquo; which, when displayed, would appear as \u0026ldquo;evil.exe.txt.ege,\u0026rdquo; tricking the user into thinking it\u0026rsquo;s a harmless text file. This detection rule identifies suspicious file or process activities on Windows systems by scanning for RTLO characters in file paths or process names, helping to uncover potential masquerading attempts. The detection is applicable to events from Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious file with an RTLO character embedded in its name. For example, \u003ccode\u003ebadU+202Eexe.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system, possibly through phishing, web downloads, or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eThe user receives the file and sees the file name as \u003ccode\u003ebad.txt.exe\u003c/code\u003e due to the RTLO character reversing the text display.\u003c/li\u003e\n\u003cli\u003eThe user, believing the file is a harmless text file, executes the file.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes its intended payload, which could include installing malware, exfiltrating data, or performing other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe executed process may attempt to establish a command and control (C2) connection with an external server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe malware may attempt to escalate privileges or move laterally within the network to compromise additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the victim\u0026rsquo;s system. This can result in data theft, system compromise, and potential lateral movement within the network. The use of RTLO characters is a simple but effective defense evasion technique that can bypass standard security controls relying on file extension checks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect RTLO Character in Filename\u003c/code\u003e to your SIEM to detect suspicious file creations and executions involving the RTLO character (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command line auditing to capture the execution of processes with RTLO characters in their names (Logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of RTLO characters and the importance of verifying file extensions before execution.\u003c/li\u003e\n\u003cli\u003eImplement file extension filtering policies to block the execution of certain file types, regardless of the displayed file name.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-rtlo-file-creation/","summary":"This rule detects the creation or execution of files or processes with names containing the Right-to-Left Override (RTLO) character, which can be used to disguise the file extension and trick users into executing malicious files on Windows systems.","title":"File with Right-to-Left Override Character (RTLO) Created/Executed","url":"https://feed.craftedsignal.io/briefs/2024-01-rtlo-file-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Masquerading","version":"https://jsonfeed.org/version/1.1"}