https://feed.craftedsignal.io/vendors/bitdefender/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 14:17:05 +0000https://feed.craftedsignal.io/briefs/2026-05-wfp-evasion/Mon, 04 May 2026 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-wfp-evasion/Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.The Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.

Attack Chain

1. Attacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).
2. The attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.
3. The attacker uses a tool or script (e.g., leveraging the netsh command or custom WFP API calls) to create a new WFP filter.
4. The WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., elastic-agent.exe, sysmon.exe).
5. The system begins blocking network communication from the targeted security software.
6. The attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.
7. The attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.
8. The attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.

Impact

A successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker’s scope and objectives.

Recommendation

• Enable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).
• Deploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.
• Investigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.
• Regularly review and audit WFP rules to identify any unauthorized or suspicious entries.
• Implement strict access controls and monitoring for systems authorized to modify WFP rules.

]]>mediumadvisorydefense-evasionwindows-filtering-platformendpoint-securityhttps://feed.craftedsignal.io/briefs/2024-07-regback-hive-access/Tue, 02 Jul 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-regback-hive-access/This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.This detection identifies suspicious attempts to access registry backup hives (SAM, SECURITY, and SYSTEM) located in the RegBack folder on Windows systems. These hives contain sensitive credential material, making them attractive targets for attackers seeking to compromise system security. The detection logic focuses on file access events, specifically successful file opens, while excluding known benign processes such as taskhostw.exe and various AV/EDR solutions (SophosScanCoordinator.exe, MsSense.exe, ccSvcHst.exe, etc.) to minimize false positives. The rule is designed to provide defenders with high-fidelity alerts when unauthorized access to these critical registry hives is detected. The scope includes any Windows system where endpoint file access logging is enabled.

Attack Chain

1. An attacker gains initial access to the system through various means.
2. The attacker attempts to access the SAM, SECURITY, or SYSTEM registry hives located in the C:\\Windows\\System32\\config\\RegBack\\ directory.
3. The attacker leverages a tool or script to open one or more of these registry hives. This could involve using built-in Windows utilities, scripting languages, or custom-developed tools.
4. If the attacker successfully opens the SAM and SYSTEM hives, they can extract user account credentials, including usernames, password hashes, and other sensitive information. The SECURITY hive is also useful.
5. The attacker may stage the registry hive files by copying them to a different location on the system for further analysis or exfiltration.
6. The attacker uses credential dumping tools (e.g., Mimikatz, secretsdump.py) or custom scripts to extract credentials from the staged registry hives.
7. The attacker leverages the extracted credentials to escalate privileges, move laterally within the network, or access sensitive data.
8. The final objective is typically to gain unauthorized access to critical systems, steal sensitive data, or establish long-term persistence within the compromised environment.

Impact

Successful exploitation of this technique can lead to the compromise of user account credentials, enabling attackers to escalate privileges, move laterally within the network, and gain unauthorized access to sensitive data. The impact can range from data breaches and financial losses to reputational damage and disruption of critical business operations. The number of victims can vary depending on the scope of the attacker’s activities and the security posture of the targeted organization. Sectors commonly targeted include finance, healthcare, government, and critical infrastructure.

Recommendation

• Enable file access monitoring for the C:\\Windows\\System32\\config\\RegBack\\ directory to capture file open events.
• Deploy the Sigma rule Registry Hive Access via RegBack to your SIEM and tune the exclusions based on your environment.
• Monitor process_creation events for unusual processes accessing files in C:\\Windows\\System32\\config\\RegBack\\, using the rule Suspicious Process Accessing RegBack Hives.
• Enable Sysmon process creation logging and file creation to activate the rules above.

]]>highadvisorycredential-accessregbackwindowshttps://feed.craftedsignal.io/briefs/2024-01-filter-manager-evasion/Wed, 03 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-filter-manager-evasion/Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.The Filter Manager Control Program (fltMC.exe) is a Windows utility used to manage filter drivers, also known as minifilters. These minifilters are leveraged by various security products, including EDR, antivirus solutions, and data loss prevention tools, to intercept and modify I/O requests. Attackers can abuse fltMC.exe to unload these minifilters, effectively disabling or circumventing the security measures they provide. This allows malicious actors to operate without detection, potentially leading to data breaches, malware infections, or other harmful activities. This technique has been observed being used to disable security products such as Bitdefender, SentinelOne and ManageEngine Endpoint Central.

Attack Chain

1. Attacker gains initial access to the target system (e.g., via compromised credentials or exploit).
2. Attacker executes fltMC.exe with administrative privileges.
3. fltMC.exe attempts to unload a specific filter driver (minifilter).
4. The operating system processes the request to unload the specified filter driver.
5. If successful, the targeted minifilter is removed from the active filter stack.
6. Security software relying on the unloaded minifilter ceases to function correctly, leaving a security gap.
7. Attacker performs malicious actions, such as deploying malware or exfiltrating sensitive data, without the protection of the disabled filter driver.
8. Attacker achieves their objective, such as data theft or system compromise.

Impact

Successful exploitation allows attackers to disable or circumvent security controls, increasing the likelihood of successful malware infections, data breaches, and other malicious activities. The scope of impact depends on the specific filter driver unloaded and the security products it supports. Disabling a critical EDR minifilter could leave the entire system vulnerable, while disabling a less critical filter might only impact a subset of security features.

Recommendation

• Monitor process creation events for the execution of fltMC.exe with the unload argument to identify potential evasion attempts (see Sigma rule “Potential Evasion via Filter Manager”).
• Investigate any instances of fltMC.exe execution where the parent process is not a known and trusted system management tool.
• Implement strict access controls to limit the ability of users to execute fltMC.exe or modify filter driver configurations.
• Review the list of exclusions in the provided EQL query to identify any legitimate software that may be generating false positives.
• Ensure that endpoint security solutions are properly configured and monitored to detect and prevent unauthorized filter driver modifications.
• Enable Sysmon process creation logging to activate the rules above.

]]>mediumadvisorydefense-evasionfilter-driverfltMC.exewindows