{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sysmon/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["remote-image-load","defense-evasion","lateral-movement","sysmon"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances of remote image loading in Windows environments, a technique frequently employed by threat actors to execute malicious code, evade security measures, or move laterally within a network. By loading DLLs or other executable images from remote shares, attackers can bypass traditional endpoint security controls and maintain a persistent presence on compromised systems. This technique is particularly dangerous because the malicious payload remains hosted on a separate system, making detection and remediation more challenging. This activity is detected via Sysmon Event ID 7 logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a process to inject code into, often a legitimate and trusted application.\u003c/li\u003e\n\u003cli\u003eThe attacker stages a malicious DLL or executable image on a remote share accessible from the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the target process to load the malicious image from the remote share using techniques like process injection or DLL hijacking.\u003c/li\u003e\n\u003cli\u003eThe compromised process executes the injected code, granting the attacker control within the context of that process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the injected code to perform various malicious activities, such as escalating privileges, stealing credentials, or deploying ransomware.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a foothold to move laterally to other systems within the network, repeating the process of remote image loading and code injection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful remote image loading attack can lead to complete compromise of the affected system and potentially the entire network. Attackers can steal sensitive data, disrupt business operations, and deploy ransomware, causing significant financial and reputational damage. The impact is amplified by the difficulty in detecting and tracing the source of the attack due to the remote hosting of the malicious payload. Organizations using vulnerable or unpatched systems are at a higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRemote Image Load from Uncommon Location\u003c/code\u003e to detect remote image loads from non-standard network paths (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of remote image loading detected by the provided Sigma rules, focusing on the process and the source of the loaded image.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of sensitive systems to potential attack vectors and to restrict lateral movement.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 logging to capture image load events, providing the necessary data for the provided detection rules.\u003c/li\u003e\n\u003cli\u003eReview and filter the detections based on approved applications and known legitimate software updates as described in the false positives section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"/briefs/2024-01-08-remote-image-load/","summary":"This analytic detects instances where a process loads a file from a remote share path, potentially indicating execution, defense evasion, or lateral movement by attackers loading code from attacker-controlled infrastructure.","title":"Detecting Windows Remote Image Loading for Malicious Activities","url":"https://feed.craftedsignal.io/briefs/2024-01-08-remote-image-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AnyDesk","Ammyy Admin","AteraAgent","BeyondTrust Remote Support","FleetDeck","GoToAssist","GoToMyPC","Kaseya Live Connect","N-able","NetSupport Client Application","NinjaRMM","Pulseway","RemotePC","Remote Utilities","ScreenConnect","SimpleHelp Remote","Splashtop","Tactical RMM Agentz","Take Control Agent","Zoho Assist","NetSupport Remote Control","NetSupport Manager","Remote Access","Remote Support","Syncro","TeamViewer","ZohoMeeting","rustdesk.exe","tailscale"],"_cs_severities":["medium"],"_cs_tags":["rmm","remote-access","sysmon"],"_cs_type":"advisory","_cs_vendors":["AmidaWare","Ammyy LLC","AnyDesk Software","ATERA Networks","Bomgar","FleetDeck","GoTo","IDrive Inc","LogMeIn, Inc","MMSOFT Design","N-able","NetSupport Ltd","NinjaRMM","Remote Utilities","SimpleHelp","Servably","ScreenConnect","Splashtop","TeamViewer Germany","ZOHO Corporation"],"content_html":"\u003cp\u003eThis brief focuses on detecting the execution of Remote Monitoring and Management (RMM) tools on Windows systems. RMM software, while legitimate for IT administration, can be abused by threat actors for unauthorized access and control. This detection leverages process creation events (Sysmon Event ID 1) and identifies processes associated with various RMM vendors and products. The detection aims to provide visibility into the usage of these tools, allowing security teams to differentiate between legitimate administrative activities and potentially malicious operations. This analysis is based on a detection rule published on GitHub, last updated in April 2026. Defenders should be aware of the potential for false positives due to legitimate RMM usage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: A threat actor gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eRMM Tool Deployment: The attacker deploys an RMM tool onto the compromised system. This might involve downloading an executable or using existing administrative privileges to install the software.\u003c/li\u003e\n\u003cli\u003eProcess Creation: The RMM tool\u0026rsquo;s executable is launched, triggering a process creation event (Sysmon Event ID 1). For example, \u003ccode\u003eAnyDesk.exe\u003c/code\u003e or \u003ccode\u003eTeamViewer.exe\u003c/code\u003e starts.\u003c/li\u003e\n\u003cli\u003eRemote Access Established: The RMM tool establishes a remote connection to the attacker\u0026rsquo;s command and control (C2) server.\u003c/li\u003e\n\u003cli\u003eCredential Theft: The attacker leverages the RMM tool to gain elevated privileges or steal credentials.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the compromised system and stolen credentials, the attacker moves laterally within the network.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker uses the RMM tool\u0026rsquo;s file transfer capabilities to exfiltrate sensitive data from the compromised network.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker configures the RMM tool to maintain persistent access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via RMM tools can lead to significant damage, including data breaches, financial loss, and reputational damage. Threat actors can use these tools to remotely control systems, steal sensitive information, and deploy ransomware. The impact can range from individual system compromise to enterprise-wide breaches affecting thousands of systems. Organizations in various sectors are vulnerable, especially those with weak endpoint security and inadequate monitoring of RMM tool usage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process execution events, which is crucial for triggering the detections.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Windows RMM Tool Execution\u0026rdquo; detection rule to your SIEM and tune it for your environment to reduce false positives, referencing the search query provided in the content.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Windows RMM Tool Execution\u0026rdquo; detection rule, prioritizing alerts involving unusual user accounts or systems.\u003c/li\u003e\n\u003cli\u003eImplement a process whitelisting policy to restrict the execution of unauthorized RMM tools and software.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes identified in the detection rule to identify potential command and control activity.\u003c/li\u003e\n\u003cli\u003eReview the references provided in the content, specifically the CISA advisory (\u003ca href=\"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a)\"\u003ehttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a)\u003c/a\u003e, for additional mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-tool-execution/","summary":"Detects process creation events indicative of remote management tools, potentially signifying legitimate use or malicious exploitation by threat actors abusing RMM software.","title":"Detection of Windows RMM Tool Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-tool-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Sysmon","version":"https://jsonfeed.org/version/1.1"}