{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/proxy-execution/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft HTML Help system","Elastic Defend","Microsoft Defender XDR","Sysmon","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","compiled-html","windows","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers are known to deliver malicious payloads within compiled HTML files (.chm) to bypass security measures and gain initial access to systems. This technique leverages the Microsoft HTML Help system and its associated executable, hh.exe, to proxy the execution of malicious code. Compiled HTML files can contain various types of content, including HTML documents, images, and scripting languages like VBA, JScript, Java, and ActiveX. By embedding malicious scripts or executables within a .chm file, attackers can trick users into executing them when they open the file. This is particularly effective because hh.exe is a signed binary, which may allow it to bypass certain security controls. The scope of this technique affects Windows systems where the HTML Help system is installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .chm file containing embedded malicious code, such as a PowerShell script or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the .chm file to the victim via social engineering, such as phishing or malicious websites.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .chm file, causing hh.exe to launch.\u003c/li\u003e\n\u003cli\u003ehh.exe processes the .chm file, rendering its content, which includes the embedded malicious script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, often spawning a scripting interpreter like \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe scripting interpreter executes commands to download additional payloads or perform malicious actions on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and moves laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, code execution, and potentially full system compromise. This can result in data theft, malware installation, and further lateral movement within the network. The severity and impact depend on the permissions of the user running hh.exe and the nature of the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Compiled HTML File Spawning Suspicious Processes\u0026rdquo; to your SIEM to detect instances where \u003ccode\u003ehh.exe\u003c/code\u003e is the parent process of scripting interpreters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process execution chains for unknown processes originating from \u003ccode\u003ehh.exe\u003c/code\u003e, as mentioned in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement email filtering and security awareness training to prevent users from opening malicious .chm files delivered via phishing.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted executables in the environment to reduce the risk of malicious code execution.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to detect and respond to malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-compiled-html-execution/","summary":"Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.","title":"Process Activity via Compiled HTML File Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eInstallUtil.exe is a legitimate Windows utility used for installing and uninstalling server resources. Adversaries abuse InstallUtil.exe to execute malicious code under the guise of legitimate processes, often to evade detection. This technique allows attackers to proxy execution through a trusted system binary, potentially bypassing application control and security monitoring. The detection rule identifies suspicious network activity by monitoring InstallUtil.exe\u0026rsquo;s outbound connections, flagging potential misuse by alerting on the initial network connection attempt. This activity is detected via the Elastic EQL rule \u0026ldquo;InstallUtil Process Making Network Connections.\u0026rdquo;\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through an undisclosed method.\u003c/li\u003e\n\u003cli\u003eThe attacker uses InstallUtil.exe to execute a malicious .NET assembly.\u003c/li\u003e\n\u003cli\u003eInstallUtil.exe loads the malicious assembly into its process.\u003c/li\u003e\n\u003cli\u003eThe malicious assembly executes code that establishes an outbound network connection.\u003c/li\u003e\n\u003cli\u003eThe connection is used for command and control (C2) or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the C2 channel to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution within the context of a trusted Windows process (InstallUtil.exe), bypassing application control and potentially evading detection. This could result in a compromised system, data exfiltration, or further malicious activities within the network. The scope of impact depends on the attacker\u0026rsquo;s objectives and the level of access gained, potentially affecting entire organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and network connection logging via Sysmon or Elastic Defend to provide the data needed for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;InstallUtil Network Connection\u0026rdquo; to your SIEM and tune for your environment to detect suspicious outbound network connections from InstallUtil.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by examining the parent process of InstallUtil.exe, destination IP addresses, and associated activities.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring and alerting for unusual outbound connections from critical systems to enhance detection of similar threats in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-installutil-network-connection/","summary":"Detection of InstallUtil.exe making outbound network connections, which can indicate adversaries leveraging it to execute code and evade detection by proxying execution through a trusted system binary.","title":"InstallUtil Process Making Network Connections for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-installutil-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently abuse trusted Windows system binaries and developer utilities to proxy the execution of malicious payloads, effectively bypassing security controls that would otherwise prevent direct execution. This technique, known as \u0026ldquo;System Binary Proxy Execution,\u0026rdquo; allows adversaries to masquerade their activities and blend in with legitimate system processes. This detection identifies network activity from system applications such as \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, and \u003ccode\u003einstallutil.exe\u003c/code\u003e that are not expected to initiate network connections under normal circumstances. The original rule was created in September 2020, and updated in May 2026. The scope of targeting includes any Windows environment where adversaries might attempt to evade detection by proxying malicious activity through trusted system binaries.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious payload onto the system, potentially obfuscated to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a trusted system binary, such as \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, or \u003ccode\u003einstallutil.exe\u003c/code\u003e to execute the payload.\u003c/li\u003e\n\u003cli\u003eThe system binary initiates a network connection, potentially to a command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to download additional tools or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a variety of negative impacts, including data breaches, system compromise, and potential financial losses. The technique is often employed in targeted attacks and can be difficult to detect due to the use of legitimate system binaries. If successful, attackers can maintain persistence, escalate privileges, and move laterally within the network, leading to widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect unusual network activity from Windows system binaries.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of known benign network connections from these binaries to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of untrusted applications.\u003c/li\u003e\n\u003cli\u003eMonitor DNS queries (Sysmon Event ID 22) for suspicious domain resolutions originating from system binaries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-unusual-network-activity-windows/","summary":"Detection of network connections initiated by unusual Windows system binaries, often leveraged by adversaries to proxy execution of malicious code and evade detection, indicating potential defense evasion and command and control activity.","title":"Unusual Network Activity from Windows System Binaries","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-network-activity-windows/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Crowdstrike","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eAttackers are leveraging the Console Window Host (conhost.exe) to proxy execution of commands, using the \u003ccode\u003e--headless\u003c/code\u003e argument to hide malicious activity. This technique allows adversaries to blend in with legitimate Windows processes, making detection more challenging. This behavior, often associated with defense evasion, involves using conhost.exe to execute commands such as PowerShell, cmd.exe, mshta, curl, and scripts. The activity can be seen across multiple environments including endpoints, Windows systems, and cloud platforms like Microsoft Defender XDR and SentinelOne. Defenders must differentiate between legitimate uses of conhost.exe, such as those by Winget-AutoUpdate or OpenSSH, and malicious proxy executions, which could indicate broader compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command that calls conhost.exe with the \u003ccode\u003e--headless\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eConhost.exe is used to proxy the execution of a malicious command, such as PowerShell, cmd.exe, or mshta.\u003c/li\u003e\n\u003cli\u003eThe proxied command downloads a malicious payload from a remote server using tools like curl or bitsadmin.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, establishing persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated from the network to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as deploying ransomware or stealing intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the targeted system and potentially the entire network. This can result in data theft, financial loss, and reputational damage. The use of \u003ccode\u003econhost.exe\u003c/code\u003e for proxy execution makes it difficult to detect malicious activity, potentially allowing attackers to remain undetected for extended periods. The impact could range from individual workstation compromises to large-scale network breaches, affecting potentially hundreds or thousands of systems within an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Proxy Execution via Console Window Host\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect suspicious \u003ccode\u003econhost.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003econhost.exe\u003c/code\u003e with the \u003ccode\u003e--headless\u003c/code\u003e argument, focusing on the command-line arguments to identify potentially malicious commands.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003econhost.exe\u003c/code\u003e executing suspicious scripts, downloaders, or task scheduler modifications to identify potential threats.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed process execution information, as recommended in the setup instructions linked in the overview.\u003c/li\u003e\n\u003cli\u003eReview the investigation fields in the brief to understand the key data points for analyzing potential proxy execution attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-conhost-proxy-exec/","summary":"Adversaries abuse the Console Window Host (conhost.exe) with the `--headless` argument to proxy execution of malicious commands, evading detection by blending in with legitimate Windows software.","title":"Conhost Proxy Execution for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-conhost-proxy-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","openssh","application-control-bypass"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to execute commands through a proxy using the Windows OpenSSH client (ssh.exe or sftp.exe). Attackers may abuse this behavior to evade application control policies by leveraging the trusted Windows OpenSSH binaries. The technique involves using the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e options with the OpenSSH client to execute arbitrary commands on the target system. The rule focuses on detecting command lines containing potentially malicious commands such as PowerShell, schtasks, mshta, msiexec, cmd, or script execution, indicating a possible attempt to bypass security measures. The detection logic is applicable to Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the Windows OpenSSH client (ssh.exe or sftp.exe) with either the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e parameter specifies a command to be executed locally on the system.\u003c/li\u003e\n\u003cli\u003eThe command includes potentially malicious payloads such as PowerShell commands, scheduled tasks manipulation (schtasks), or execution of other LOLBINs (Living Off the Land Binaries) like mshta or msiexec.\u003c/li\u003e\n\u003cli\u003eThe OpenSSH client executes the specified command.\u003c/li\u003e\n\u003cli\u003eThe malicious command performs actions such as downloading and executing additional payloads, creating scheduled tasks for persistence, or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as gaining further access to the system, escalating privileges, or deploying malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the affected system. Attackers can bypass application control mechanisms, execute arbitrary code, and establish persistence. This can result in data theft, system disruption, or further propagation of the attack within the network. The severity of the impact depends on the privileges of the account running the OpenSSH client and the specific actions performed by the malicious commands.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to capture the execution of ssh.exe and sftp.exe with malicious parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProxy Execution via Windows OpenSSH\u003c/code\u003e to your SIEM to detect suspicious OpenSSH client executions with malicious commands in the command line.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of child processes from ssh.exe or sftp.exe, as this can indicate the execution of malicious commands specified in the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e options.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of \u003ccode\u003ePermitLocalCommand\u003c/code\u003e in OpenSSH server configurations to prevent attackers from executing commands locally on the system after a connection is established.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-openssh-proxy-execution/","summary":"Detection of command execution via proxy using the Windows OpenSSH client (ssh.exe or sftp.exe) to bypass application control using trusted Windows binaries.","title":"Proxy Execution via Windows OpenSSH Client","url":"https://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform typically used by developers. However, attackers can abuse MSBuild to execute malicious code by using it as a proxy execution method, allowing them to bypass traditional defenses. This technique involves invoking MSBuild from scripting environments like PowerShell or cmd.exe to run arbitrary code within the context of a trusted process. The activity detected by this rule focuses on instances where MSBuild is launched by a script interpreter, which is not typical for standard software development workflows. This behavior, observed since at least 2020, can be used for stealthy execution of payloads and defense evasion tactics, especially in environments that trust MSBuild as a legitimate system utility. Defenders should be aware of this technique as it allows attackers to blend in with normal system activity and bypass application control policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eA script (e.g., PowerShell, cmd.exe) is used to execute a malicious command or series of commands.\u003c/li\u003e\n\u003cli\u003eThe script invokes \u003ccode\u003emsbuild.exe\u003c/code\u003e with specific arguments to execute arbitrary code. This might involve inline tasks or references to external XML project files containing malicious instructions.\u003c/li\u003e\n\u003cli\u003eMSBuild processes the provided XML file or inline task, interpreting and executing the malicious code.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild, acting as a proxy, executes the attacker\u0026rsquo;s code within a trusted process, potentially evading detection by security software.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, escalating privileges, and accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s final objective is achieved, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on Windows systems, potentially leading to data theft, system compromise, and further propagation within the network. This technique can bypass application control and other security measures, making it difficult to detect and prevent. The impact can range from minor data breaches to complete system takeover, depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the process tree and command-line arguments, enabling detection of suspicious MSBuild executions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMicrosoft Build Engine Started by a Script Process\u003c/code\u003e to your SIEM to identify instances of MSBuild being invoked by script interpreters. Tune the rule with appropriate whitelisting for known development activities to reduce false positives.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003emsbuild.exe\u003c/code\u003e with parent processes such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of MSBuild to authorized users and directories.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of excluded processes and directories in the Sigma rule to adapt to changing development practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-msbuild-script-execution/","summary":"Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.","title":"Suspicious MSBuild Execution from Scripting Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers frequently exploit built-in system utilities to bypass security measures and execute malicious code. This technique, known as \u0026ldquo;Living off the Land,\u0026rdquo; allows them to blend in with legitimate system activity, making detection more challenging. This threat brief focuses on identifying unusual network connections originating from Windows system utilities that are not typically associated with network communication. This behavior is often indicative of an attacker leveraging these tools for purposes such as downloading payloads, establishing command and control, or exfiltrating data. The utilities of concern include: Microsoft.Workflow.Compiler.exe, bginfo.exe, cdb.exe, cmstp.exe, csi.exe, dnx.exe, fsi.exe, ieexec.exe, iexpress.exe, odbcconf.exe, rcsi.exe and xwizard.exe. Defenders should monitor for network activity from these processes to identify potential malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a system utility such as \u003ccode\u003ecmstp.exe\u003c/code\u003e to execute malicious code.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecmstp.exe\u003c/code\u003e is invoked with a malicious INF file, leading to the execution of arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe executed code initiates a network connection to an external server.\u003c/li\u003e\n\u003cli\u003eThe connection is used to download a secondary payload, such as a reverse shell or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the downloaded payload to establish a persistent presence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from compromised systems to a remote server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a compromised system with unauthorized code execution, data exfiltration, and potential lateral movement within the network. Due to the low severity and the high probability of false positives, this rule should be tuned for specific environments and paired with other detection mechanisms. This may lead to data breaches, financial loss, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rules provided in this brief to detect unusual network connections from system utilities within your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for the utilities listed in the rule query to identify potential abuse of these tools.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging for enhanced visibility into process execution and network activity.\u003c/li\u003e\n\u003cli\u003eCorrelate detections from this rule with other security alerts and logs to gain a more complete understanding of the attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-process-network/","summary":"Adversaries may leverage unusual system utilities such as Microsoft.Workflow.Compiler.exe, bginfo.exe, cdb.exe, cmstp.exe, csi.exe, dnx.exe, fsi.exe, ieexec.exe, iexpress.exe, odbcconf.exe, rcsi.exe and xwizard.exe to execute code and evade detection, as identified by network connections originating from these processes.","title":"Unusual System Utilities Initiating Network Connections","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-process-network/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used by developers to build applications. However, adversaries are known to abuse MSBuild to execute malicious code, leveraging its trusted status to bypass security measures. This technique allows attackers to perform various actions on compromised systems while blending in with legitimate system activity. The observed behavior involves MSBuild being started by system processes like Explorer (explorer.exe) or Windows Management Instrumentation (WMI, wmiprvse.exe). Defenders should be aware of this unusual activity as it signifies a potential defense evasion tactic and unauthorized code execution within the targeted environment. This activity has been observed across environments leveraging Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, CrowdStrike, and standard Windows event logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script or payload that invokes MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eThe script or payload is executed by a system process like explorer.exe or wmiprvse.exe, which is highly unusual for typical MSBuild usage.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe starts with specific command-line arguments that dictate the build process, often involving malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code is embedded within an MSBuild project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild.exe executes the malicious code as part of the build process.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining remote access, exfiltrating data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a variety of negative outcomes, including unauthorized code execution, system compromise, data theft, and potentially complete system takeover. The use of MSBuild as a proxy execution method allows attackers to evade traditional security controls and blend in with legitimate system activities. This can result in delayed detection and increased dwell time, amplifying the potential damage. Since MSBuild is a trusted Microsoft utility, its abuse can make malicious activity harder to identify and respond to.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by a System Process\u0026rdquo; to your SIEM to detect instances of MSBuild.exe being launched by explorer.exe or wmiprvse.exe (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of MSBuild.exe executions (reference setup instructions in the source URL).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild.exe started by explorer.exe or wmiprvse.exe to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.\u003c/li\u003e\n\u003cli\u003eReview and whitelist any legitimate scripts or administrative tools that leverage MSBuild for authorized tasks to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-msbuild-system-process/","summary":"Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.","title":"MSBuild Started by System Process for Defense Evasion and Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-system-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["proxy-execution","net-utility","defense-evasion","execution","signed-binary-proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the abuse of trusted Microsoft .NET binaries as proxies for malicious code execution. Attackers leverage script-based execution (e.g., PowerShell, VBScript, batch files) from atypical or user-writable directories to launch .NET utilities like aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, and vbc.exe. This method allows threat actors to bypass security controls and blend in with legitimate system activity. Observed activity occurs in environments where endpoint detection and response (EDR) agents are deployed. The lack of command-line variation between the utility\u0026rsquo;s image path and its executed process reinforces the suspicion of proxy execution. This technique has been associated with malware campaigns, including the deployment of VIP Keylogger.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (potentially through phishing or exploiting a software vulnerability, although this source does not specify the entry vector).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious script (e.g., a PowerShell script) into a user-writable directory such as C:\\Users\\Public\\ or C:\\Temp\\.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, and is often obfuscated to evade detection, from the non-standard location.\u003c/li\u003e\n\u003cli\u003eThe script then calls a legitimate .NET utility (e.g., InstallUtil.exe) to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe .NET utility executes with minimal command-line arguments, often just the executable path itself, to further blend in with legitimate activity.\u003c/li\u003e\n\u003cli\u003eThe .NET utility loads and executes attacker-controlled code, bypassing application control policies.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as keylogging (as seen with VIP Keylogger), credential theft, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass application control and execute arbitrary code, potentially leading to data theft, system compromise, and persistent access. While the number of victims and specific sectors are not detailed in this brief\u0026rsquo;s source, the use of VIP Keylogger as a payload demonstrates the potential for sensitive data exfiltration. Organizations lacking robust endpoint detection capabilities are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect .NET Utility Execution from Unusual Script Parents\u0026rdquo; to identify potential proxy execution attempts based on process relationships and file paths (rule provided below).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of .NET utilities (aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, vbc.exe) being launched from user-writable directories, especially when the parent process is a script interpreter (batch, CMD, PowerShell, JScript, VBScript, HTML).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1 or Windows Event Log Security 4688) for unusual parent-child process relationships involving script interpreters and .NET utilities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of .NET utilities from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-proxy-execution-net-utilities/","summary":"Detects the execution of .NET utilities by script processes from unusual locations, indicative of signed binary proxy execution for defense evasion and code execution.","title":"Windows Proxy Execution of .NET Utilities via Scripts","url":"https://feed.craftedsignal.io/briefs/2024-01-03-proxy-execution-net-utilities/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","rundll32"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies instances where \u003ccode\u003erundll32.exe\u003c/code\u003e is executed without arguments or with malformed arguments, immediately followed by the execution of a child process. This behavior is atypical, as \u003ccode\u003erundll32.exe\u003c/code\u003e is normally invoked with specific parameters indicating a DLL, export, or Control_RunDLL target. Attackers may exploit this by using \u003ccode\u003erundll32.exe\u003c/code\u003e as a proxy to execute other malicious payloads or for command and control. The detection logic focuses on identifying instances where the argument count is one and the command line does not conform to expected patterns. This behavior has been observed being used by malware to evade traditional detection methods by proxying execution through a trusted Windows utility. This rule is applicable to endpoint telemetry, Windows event logs, and Crowdstrike FDR data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn initial access vector, such as a phishing email or exploit, delivers an initial payload to the system.\u003c/li\u003e\n\u003cli\u003eThe initial payload executes, potentially dropping or creating a file on disk, or directly invoking rundll32.exe.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erundll32.exe\u003c/code\u003e is executed without arguments, or with malformed arguments, bypassing typical usage patterns. This is the key indicator the rule detects.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erundll32.exe\u003c/code\u003e spawns a child process, which could be a script interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e), another executable, or a network utility.\u003c/li\u003e\n\u003cli\u003eThe child process executes malicious code, downloads additional payloads, or establishes a command and control connection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the child process for lateral movement or privilege escalation within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective could include data exfiltration, ransomware deployment, or persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe adversary uses \u003ccode\u003erundll32.exe\u003c/code\u003e to hide the execution of the malicious process and blend into normal system activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to gain control of the affected system. This can result in data breaches, system compromise, and potential lateral movement within the network. The use of a trusted system binary like \u003ccode\u003erundll32.exe\u003c/code\u003e makes detection more challenging. It affects Windows systems and can be used in targeted attacks as well as widespread campaigns. Organizations failing to detect this behavior are at risk of significant data loss and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual RunDLL32 Child Process\u003c/code\u003e to your SIEM and tune for your environment to detect the execution of \u003ccode\u003erundll32.exe\u003c/code\u003e without arguments, followed by a child process.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the legitimacy of the \u003ccode\u003erundll32.exe\u003c/code\u003e execution and the spawned child process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables in your environment, mitigating the impact of this technique.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for unusual parent-child relationships involving \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-rundll32-no-args/","summary":"The execution of `rundll32.exe` without arguments, followed by a child process execution, indicates potential abuse of Rundll32 for proxy execution or payload handoff, often employed for defense evasion on Windows systems.","title":"Unusual Child Processes of RunDLL32 Execution Without Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-rundll32-no-args/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies unusual instances of Control Panel being executed with suspicious keywords or paths in the process command line. Control Panel (control.exe) is a legitimate Windows utility, but adversaries may abuse it to proxy execution of malicious code, effectively bypassing defense mechanisms. This technique involves launching control.exe with command-line arguments that point to malicious payloads or unusual file types, such as image files or INF files, or paths containing traversal sequences. The rule is designed to trigger when control.exe is launched with suspicious arguments like image files, INF files, paths containing traversal sequences, or paths in user-writable locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe adversary stages a malicious payload on the system in a location such as \u003ccode\u003eAppData\\Local\u003c/code\u003e or \u003ccode\u003eUsers\\Public\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe adversary crafts a command line that uses \u003ccode\u003econtrol.exe\u003c/code\u003e to execute the malicious payload. The command line includes a suspicious path, such as \u003ccode\u003econtrol.exe evil.jpg\u003c/code\u003e or \u003ccode\u003econtrol.exe ..\\..\\..\\evil.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econtrol.exe\u003c/code\u003e process is executed with the malicious command line.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eControl.exe\u003c/code\u003e attempts to load the specified file.\u003c/li\u003e\n\u003cli\u003eIf the file is an executable or script, it is executed within the context of the \u003ccode\u003econtrol.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions (e.g., downloading additional payloads, establishing persistence, or exfiltrating data).\u003c/li\u003e\n\u003cli\u003eThe adversary achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing adversaries to install malware, steal sensitive data, or compromise the entire system. This can result in significant financial loss, reputational damage, and disruption of business operations. Because Control Panel is a signed Microsoft binary, abusing it can bypass application control policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Control Panel Process with Unusual Arguments\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003econtrol.exe\u003c/code\u003e command lines (rule).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments of \u003ccode\u003econtrol.exe\u003c/code\u003e (logsource).\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003econtrol.exe\u003c/code\u003e launching child processes (rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process, command-line arguments, and any subsequent network connections (rule).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003econtrol.exe\u003c/code\u003e from unusual locations (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-control-panel-abuse/","summary":"Adversaries may abuse control.exe to proxy execution of malicious code by using the Control Panel process to execute payloads from unusual locations, detected by identifying suspicious keywords or paths in the process command line.","title":"Control Panel Process with Unusual Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-control-panel-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","proxy-execution","msiexec"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMsiexec.exe is the command-line utility for the Windows Installer, commonly used to execute installation packages (.msi). Attackers are known to abuse msiexec.exe to proxy the execution of arbitrary DLLs, a technique that helps bypass application control and evade detection. This approach leverages the trusted nature of msiexec.exe to execute malicious code, making it harder for security tools to identify and block the activity. The abuse of msiexec.exe has been observed in various attack campaigns, highlighting the need for defenders to monitor its usage closely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, often through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious DLL to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses msiexec.exe with the \u003ccode\u003e/Y\u003c/code\u003e flag to execute the malicious DLL. This flag is used to trigger DLL execution via msiexec.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe loads and executes the malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing persistence, escalating privileges, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the proxy execution through msiexec.exe to evade detection by security tools monitoring process execution.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems or begins data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the targeted system, potentially leading to a full system compromise. This can result in data breaches, financial loss, and reputational damage. The technique is particularly effective at bypassing application control solutions, increasing the likelihood of a successful attack. While specific victim counts are unavailable, the widespread use of Windows Installer makes this a relevant threat across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Msiexec Execute Arbitrary DLL\u003c/code\u003e to your SIEM to detect the execution of msiexec.exe with the \u003ccode\u003e/Y\u003c/code\u003e flag, indicative of potential malicious DLL execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of msiexec.exe executing DLLs from unusual or temporary locations.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of msiexec.exe to authorized users and legitimate installation processes.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe to identify suspicious command-line arguments and parent processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-msiexec-dll-execution/","summary":"Adversaries may abuse the msiexec.exe utility to proxy the execution of malicious DLL payloads, bypassing application control and other defenses.","title":"Msiexec Arbitrary DLL Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-msiexec-dll-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Proxy-Execution","version":"https://jsonfeed.org/version/1.1"}