{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/raccine/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["raccine","ransomware","defense-evasion","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on detecting the deletion of the Raccine Rules Updater scheduled task, a critical action that adversaries may take to disable Raccine, a security tool designed to prevent ransomware attacks. The deletion is typically performed using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command. This activity is significant because successful deletion of the Raccine scheduled task allows ransomware to execute unimpeded, leading to potential data encryption and data loss. The detection leverages endpoint detection and response (EDR) agents and focuses on process names and command-line executions to identify this malicious behavior. Defenders should prioritize monitoring for this activity as it often precedes ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the target system via unspecified means (e.g., phishing, exploitation of public-facing application).\u003c/li\u003e\n\u003cli\u003eExecution of arbitrary commands on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe adversary uses \u003ccode\u003eschtasks.exe\u003c/code\u003e to query the list of scheduled tasks to identify the Raccine Rules Updater task.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eschtasks.exe\u003c/code\u003e is then used with the \u003ccode\u003edelete\u003c/code\u003e parameter to remove the \u0026ldquo;Raccine Rules Updater\u0026rdquo; scheduled task.\u003c/li\u003e\n\u003cli\u003eThe operating system removes the scheduled task entry.\u003c/li\u003e\n\u003cli\u003eRansomware is deployed on the system without Raccine\u0026rsquo;s protection.\u003c/li\u003e\n\u003cli\u003eRansomware encrypts files on local and network shares.\u003c/li\u003e\n\u003cli\u003eA ransom note is dropped, demanding payment for decryption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the Raccine scheduled task can lead to a successful ransomware attack. This can result in data encryption, system downtime, and potential financial losses due to ransom payments or recovery costs. The severity of the impact depends on the extent of the data encryption and the organization\u0026rsquo;s ability to recover from backups. Organizations without Raccine deployed are not directly affected but remain vulnerable to ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect the execution of \u003ccode\u003eschtasks.exe\u003c/code\u003e deleting tasks containing \u0026ldquo;Raccine\u0026rdquo; in the task name or description (\u003ccode\u003eschtasks_raccine_deletion\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and command-line logging via Sysmon or similar EDR solutions to ensure visibility into process executions.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eschtasks.exe\u003c/code\u003e being used to delete scheduled tasks, especially those related to security tools.\u003c/li\u003e\n\u003cli\u003eReview and harden scheduled task permissions to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor parent processes of \u003ccode\u003eschtasks.exe\u003c/code\u003e for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-raccine-task-deletion/","summary":"Detection of adversaries deleting the Raccine Rules Updater scheduled task via `schtasks.exe` to disable the ransomware protection tool, potentially leading to data encryption and loss.","title":"Raccine Scheduled Task Deletion via Schtasks","url":"https://feed.craftedsignal.io/briefs/2024-01-raccine-task-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Raccine","version":"https://jsonfeed.org/version/1.1"}