{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ping/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["execution","defense-evasion","windows","ping","lolbas"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. This delayed execution is often observed during malware installation and is consistent with an attacker attempting to evade detection. The adversary uses \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument from within a \u003ccode\u003ecmd.exe\u003c/code\u003e shell, and the parent process is running under a user context other than SYSTEM. The subsequent process is \u003ccode\u003ecmd.exe\u003c/code\u003e invoking a known malicious utility, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, or an executable from the user\u0026rsquo;s AppData directory without a valid code signature. This behavior is often observed during malware installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an initial access vector (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe adversary executes \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecmd.exe\u003c/code\u003e spawns \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument to introduce a delay, typically to evade detection (\u003ccode\u003eping.exe -n [number] 127.0.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAfter the delay introduced by \u003ccode\u003eping.exe\u003c/code\u003e, the same \u003ccode\u003ecmd.exe\u003c/code\u003e process executes a potentially malicious utility such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, or \u003ccode\u003eregsvr32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, \u003ccode\u003ecmd.exe\u003c/code\u003e might execute a binary located within the user\u0026rsquo;s AppData directory that lacks a valid code signature.\u003c/li\u003e\n\u003cli\u003eThe malicious utility executes arbitrary commands or scripts, potentially downloading further payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system, enabling further malicious activities such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware installation, system compromise, and data theft. While the source does not quantify the number of victims or specific sectors targeted, a successful compromise can lead to significant operational disruption and data breaches. The use of delayed execution makes it more difficult for traditional security solutions to detect malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Delayed Execution via Ping\u0026rdquo; to your SIEM to detect the execution of commonly abused Windows utilities via a delayed Ping execution.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to capture the execution of \u003ccode\u003eping.exe\u003c/code\u003e and subsequent processes for analysis.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the rule.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rule, including the listed exclusions, to reduce false positives in your specific environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution from unusual locations like the AppData directory, especially for unsigned executables, as indicated in the rule\u0026rsquo;s detection logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-delayed-execution-via-ping/","summary":"Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.","title":"Windows Delayed Execution via Ping Followed by Malicious Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-delayed-execution-via-ping/"}],"language":"en","title":"CraftedSignal Threat Feed — Ping","version":"https://jsonfeed.org/version/1.1"}