{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/apple/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CUPS"],"_cs_severities":["high"],"_cs_tags":["cups","privilege-escalation","linux","macos"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eA vulnerability exists within the Common Unix Printing System (CUPS), a widely used printing system on Linux and macOS. A local attacker can leverage this flaw to execute arbitrary code with elevated, administrator-level privileges. While the specific details of the vulnerability are not provided in this brief, successful exploitation would grant the attacker full control over the affected system. Apple is the primary maintainer of CUPS. Defenders should focus on identifying and mitigating potential exploitation attempts by monitoring for suspicious CUPS-related processes and file modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial local access to the target system through legitimate means or by exploiting a separate vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the vulnerable CUPS service running on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload designed to exploit the CUPS vulnerability. This payload could be a specially crafted print job or a manipulated configuration file.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious payload, triggering the vulnerability in CUPS.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, CUPS executes the attacker\u0026rsquo;s code with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to install persistent backdoors, modify system configurations, or escalate privileges further.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network or exfiltrates sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is complete system compromise, data theft, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CUPS vulnerability allows a local attacker to gain complete control over the affected system. This could lead to data theft, system disruption, or the installation of persistent backdoors. The widespread use of CUPS in Linux and macOS environments makes this a significant threat. If successfully exploited, attackers can achieve complete system compromise and potentially move laterally within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious CUPS processes being spawned by unusual parent processes using the \u003ccode\u003eCUPS Spawning Suspicious Processes\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect CUPS configuration files for unauthorized modifications using the \u003ccode\u003eCUPS Configuration File Modification\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any unexplained privilege escalation events originating from the CUPS service.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:43:58Z","date_published":"2026-04-30T09:43:58Z","id":"/briefs/2026-04-cups-privesc/","summary":"A local attacker can exploit a vulnerability in CUPS to execute arbitrary program code with administrator privileges on Linux and macOS systems.","title":"CUPS Vulnerability Allows Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-cups-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon","Chrome","Edge","Firefox","Safari","Brave Browser","Opera Browser","Vivaldi Browser","WebView2"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","dns"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Mozilla","Apple","Brave","Opera","Vivaldi"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker installs an unauthorized RMM tool (e.g., using a script or installer).\u003c/li\u003e\n\u003cli\u003eThe RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRMM Domain DNS Queries from Non-Browser Processes\u003c/code\u003e to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the \u0026ldquo;Setup\u0026rdquo; section of the content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-domain-dns/","summary":"Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.","title":"RMM Domain DNS Queries from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-domain-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","dll-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","McAfee","SecMaker AB","HID Global","Apple","Citrix Systems","Dell","Hewlett-Packard Company","Symantec Corporation","National Instruments Corporation","DigitalPersona","Novell","Gemalto","EasyAntiCheat Oy","Entrust Datacard Corporation","AuriStor","LogMeIn","VMware","Nubeva Technologies Ltd","Micro Focus","Yubico AB","Secure Endpoints","Sophos","Morphisec Information Security","Entrust","F5 Networks","Bit4id","Thales DIS CPL USA","Micro Focus International plc","HYPR Corp","Intel","PGP Corporation","Parallels International GmbH","FrontRange Solutions Deutschland GmbH","SecureLink","Tidexa OU","Amazon Web Services","SentryBay Limited","Audinate Pty Ltd","CyberArk Software","NVIDIA","Trend Micro","Fortinet","Carbon Black"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain sufficient access to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL onto the system, often disguised as a legitimate file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.\u003c/li\u003e\n\u003cli\u003eLSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eLSASS Loading Untrusted DLL\u003c/code\u003e Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and review the loaded DLL\u0026rsquo;s code signature and hash.\u003c/li\u003e\n\u003cli\u003eBlock the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict which DLLs can be loaded into LSASS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and image load logging to provide the necessary data for detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-lsass-suspicious-dll/","summary":"Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.","title":"LSASS Loading Suspicious DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-suspicious-dll/"}],"language":"en","title":"CraftedSignal Threat Feed — Apple","version":"https://jsonfeed.org/version/1.1"}