{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rollback/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2024-44193"}],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","rollback","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of a specific technique used in privilege escalation attacks on Windows systems. An attacker attempts to delete a rollback script (.rbs) file located in the \u003ccode\u003eC:\\Config.Msi\u003c/code\u003e directory using a process other than \u003ccode\u003emsiexec.exe\u003c/code\u003e. This is a critical step in exploiting the CVE-2024-44193 vulnerability, which allows an attacker to manipulate the Windows Installer service to execute arbitrary code with SYSTEM privileges. The \u003ccode\u003eC:\\Config.Msi\u003c/code\u003e directory is normally protected with a strong DACL to prevent tampering, but if an attacker can bypass these protections and delete the rollback script, they can gain SYSTEM-level code execution during a rollback operation. This detection is relevant for organizations using Windows operating systems and relies on monitoring file deletion events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable MSI installation process or creates their own malicious MSI package.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers an MSI installation that creates a rollback script (.rbs) file in the \u003ccode\u003eC:\\Config.Msi\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete the .rbs file using a non-\u003ccode\u003emsiexec.exe\u003c/code\u003e process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, bypassing standard installation procedures.\u003c/li\u003e\n\u003cli\u003eIf the deletion is successful, the attacker triggers a rollback of the MSI installation.\u003c/li\u003e\n\u003cli\u003eDuring the rollback, the Windows Installer service attempts to execute the now-missing rollback script.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the missing rollback script to inject and execute arbitrary code with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation, gaining SYSTEM-level control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful MSI rollback privilege escalation attack can lead to complete system compromise. An attacker gaining SYSTEM privileges can install malware, steal sensitive data, create new administrative accounts, or disrupt critical services. Given that MSI installers are commonly used to deploy software across Windows environments, this vulnerability has a broad impact across various sectors. If left undetected, this attack can lead to widespread damage, significant data breaches, and long-term operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 23 (File Delete) logging to capture the necessary file deletion events in \u003ccode\u003eC:\\Config.Msi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MSI Rollback Script Deletion\u003c/code\u003e to identify unauthorized deletions of .rbs files, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, prioritizing those where the deleting process is unusual or untrusted.\u003c/li\u003e\n\u003cli\u003eReview and harden the DACLs on the \u003ccode\u003eC:\\Config.Msi\u003c/code\u003e directory to prevent unauthorized file deletions.\u003c/li\u003e\n\u003cli\u003eMonitor for exploitation of CVE-2024-44193 as referenced in the references section, and apply appropriate patches if available from Microsoft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-msi-rollback-delete/","summary":"Detection of a rollback script (.rbs) file deletion under C:\\Config.Msi by a non-msiexec.exe process, indicating a potential MSI rollback privilege escalation attack.","title":"Windows MSI Rollback Script Deletion by Non-Msiexec Process","url":"https://feed.craftedsignal.io/briefs/2024-01-msi-rollback-delete/"}],"language":"en","title":"CraftedSignal Threat Feed — Rollback","version":"https://jsonfeed.org/version/1.1"}