{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/security-solution-tampering/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Endpoint","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["security-solution-tampering","endpoint","windows"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThe System File Checker (sfc.exe) is a Windows utility used to scan and restore corrupted system files. However, it can also be abused to uninstall components of security software. This detection focuses on the use of \u003ccode\u003esfc.exe\u003c/code\u003e with the \u003ccode\u003e-u\u003c/code\u003e parameter, a legitimate but potentially malicious use case related to Cisco Secure Endpoint. An attacker might leverage this command to remove or disable parts of the endpoint protection suite, creating an opportunity to deploy malware, exfiltrate data, or perform other malicious activities without immediate detection. This type of tampering aims to weaken defenses before a more significant attack. This activity is often part of a broader effort to disable security mechanisms to avoid detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system is achieved through unspecified means (e.g., compromised credentials, software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esfc.exe\u003c/code\u003e with the \u003ccode\u003e-u\u003c/code\u003e parameter to attempt to uninstall the Cisco Secure Endpoint Immunet service.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esfc.exe\u003c/code\u003e attempts to uninstall the specified Cisco Secure Endpoint component.\u003c/li\u003e\n\u003cli\u003eIf successful, the targeted component of Cisco Secure Endpoint is disabled or removed from the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the weakened state of the endpoint security to deploy malware or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to the complete removal or disabling of Cisco Secure Endpoint protection on a targeted system. This leaves the system vulnerable to malware infection, data exfiltration, and other malicious activities. The impact can range from individual system compromise to a widespread breach affecting numerous endpoints within an organization, leading to significant data loss and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Cisco Secure Endpoint Uninstall via SFC\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for instances of \u003ccode\u003esfc.exe\u003c/code\u003e being used with the \u003ccode\u003e-u\u003c/code\u003e parameter, as highlighted in the Sigma rule and the \u003ccode\u003esearch\u003c/code\u003e field in the provided source.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of this behavior to determine if they are legitimate or malicious, per the \u003ccode\u003eknown_false_positives\u003c/code\u003e from the original source.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the ability of users to execute system utilities like \u003ccode\u003esfc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cisco-secure-endpoint-uninstall/","summary":"The sfc.exe utility is used with the \"-u\" parameter to uninstall Cisco Secure Endpoint components, potentially disabling endpoint protection and facilitating further exploitation.","title":"Cisco Secure Endpoint Uninstallation via SFC Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-secure-endpoint-uninstall/"}],"language":"en","title":"CraftedSignal Threat Feed — Security-Solution-Tampering","version":"https://jsonfeed.org/version/1.1"}