{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mounted-device/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","mounted-device","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious execution of script interpreters or signed binaries from mounted devices in Windows environments. Attackers attempt to evade defenses by launching processes from non-standard directories, such as mounted devices. This technique can be employed following initial access via phishing or other means. The focus is on processes spawned by \u003ccode\u003eexplorer.exe\u003c/code\u003e with a working directory on removable drives (D, E, F) and named \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ebitsadmin.exe\u003c/code\u003e, \u003ccode\u003emsiexec.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, or \u003ccode\u003emsbuild.exe\u003c/code\u003e. This behavior is anomalous and indicative of potential malicious activity. The rule originates from Elastic\u0026rsquo;s detection rule set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser unknowingly executes a malicious file (T1204.002) or opens a phishing email leading to drive-by compromise.\u003c/li\u003e\n\u003cli\u003eThe malicious file is downloaded onto the system, potentially onto a mounted device such as a USB drive (D:, E:, or F:).\u003c/li\u003e\n\u003cli\u003eThe user interacts with the mounted device via \u003ccode\u003eexplorer.exe\u003c/code\u003e, inadvertently triggering the execution of a malicious script or binary (TA0002).\u003c/li\u003e\n\u003cli\u003eThe script interpreter (e.g., powershell.exe, cmd.exe) or a signed binary (e.g., mshta.exe, regsvr32.exe) is executed from the mounted device (T1059).\u003c/li\u003e\n\u003cli\u003eThe process inherits the working directory from the mounted device, further masking its origin.\u003c/li\u003e\n\u003cli\u003eThe script or binary performs malicious actions, such as downloading additional malware, establishing persistence, or exfiltrating data (TA0005).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the trusted binary or interpreter to proxy execution of their malicious code (T1127, T1218).\u003c/li\u003e\n\u003cli\u003eThe system is compromised, potentially leading to data theft, ransomware deployment, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can lead to the compromise of Windows systems. Attackers can evade traditional defenses, making detection more challenging. The impact can range from data theft and system compromise to lateral movement and ransomware deployment. Organizations may experience financial loss, reputational damage, and operational disruption if systems are successfully compromised using this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process execution events, including the working directory and parent process, which is essential for activating the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious Execution from Mounted Device\u0026rdquo; Sigma rule to your SIEM to detect potentially malicious processes being launched from unusual locations and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of script interpreters and signed binaries from removable drives to mitigate the risk of this attack.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of executing files from untrusted sources, particularly from removable media, to prevent initial infection (T1204).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-execution-mounted-device/","summary":"Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.","title":"Suspicious Execution from a Mounted Device","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-execution-mounted-device/"}],"language":"en","title":"CraftedSignal Threat Feed — Mounted-Device","version":"https://jsonfeed.org/version/1.1"}