{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sccm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["System Center Configuration Manager"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","dll-hijacking","sccm"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to hijack Windows user sessions by exploiting Microsoft\u0026rsquo;s System Center Configuration Manager (SCCM). This involves loading malicious DLLs into \u003ccode\u003eSCNotification.exe\u003c/code\u003e, a process responsible for user notifications within the SCCM framework. The vulnerability arises when \u003ccode\u003eSCNotification.exe\u003c/code\u003e loads untrusted DLLs, potentially impersonating a user session. This activity is often characterized by recent DLL file creation or modification, coupled with the DLL lacking a trusted code signature. The references indicate this technique has been discussed publicly, raising awareness and the potential for increased exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eAttacker places a malicious DLL on the system. This DLL may be disguised to appear legitimate.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the system to cause \u003ccode\u003eSCNotification.exe\u003c/code\u003e to load the malicious DLL. This may involve modifying registry keys or file paths.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSCNotification.exe\u003c/code\u003e loads the attacker-controlled DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes within the context of the \u003ccode\u003eSCNotification.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hijacked process to impersonate a user session.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to user accounts and data.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions under the guise of the compromised user, such as data exfiltration or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive data, privilege escalation, and further compromise of the network. Victims could experience data breaches, financial loss, or reputational damage. The impact depends on the extent of access gained by the attacker and the sensitivity of the data accessed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Windows Session Hijacking via CcmExec\u0026rdquo; to your SIEM to detect suspicious DLL loads by \u003ccode\u003eSCNotification.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on DLLs with recent file creation times or modifications (DLL timestamps) and untrusted signatures.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized DLLs from being loaded by \u003ccode\u003eSCNotification.exe\u003c/code\u003e as described in the remediation steps in the note section.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eSCNotification.exe\u003c/code\u003e and related processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to enhance visibility into process execution events, which activates the Sigma rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-sccm-dll-hijacking/","summary":"Adversaries may exploit Microsoft's System Center Configuration Manager by loading malicious DLLs into SCNotification.exe, a process associated with user notifications, potentially leading to Windows session hijacking.","title":"Potential Windows Session Hijacking via CcmExec","url":"https://feed.craftedsignal.io/briefs/2024-07-sccm-dll-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — Sccm","version":"https://jsonfeed.org/version/1.1"}