{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/cisco/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-33018"},{"cvss":7.1,"id":"CVE-2026-33020"},{"id":"CVE-2026-41144"}],"_cs_exploited":false,"_cs_products":["ASA","Secure Firewall Threat Defense","IOS","IOS XE","IOS XR"],"_cs_severities":["critical"],"_cs_tags":["cisco","vulnerability","rce","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability allowing authentication bypass.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the device.\u003c/li\u003e\n\u003cli\u003eAttacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe code executes with administrator privileges, granting the attacker full control over the device.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised device as a pivot point to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eAttacker compromises additional systems and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsult Cisco\u0026rsquo;s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T05:43:56Z","date_published":"2026-04-24T05:43:56Z","id":"/briefs/2024-07-cisco-multiple-vulns/","summary":"Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.","title":"Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/"},{"_cs_actors":["UAT-4356"],"_cs_cves":[{"cvss":9.9,"id":"CVE-2025-20333"},{"cvss":6.5,"id":"CVE-2025-20362"}],"_cs_exploited":false,"_cs_products":["Firepower eXtensible Operating System (FXOS)","ASA","FTD"],"_cs_severities":["critical"],"_cs_tags":["uat-4356","firestarter","cisco","backdoor","network","espionage"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called \u0026ldquo;FIRESTARTER,\u0026rdquo; which shares technical capabilities with RayInitiator\u0026rsquo;s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco\u0026rsquo;s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.\u003c/li\u003e\n\u003cli\u003eThe FIRESTARTER backdoor is written to \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e and the CSP_MOUNT_LIST is updated to copy itself to \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter a graceful reboot, FIRESTARTER is executed from \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER restores the original CSP_MOUNT_LIST from \u003ccode\u003e/tmp/CSP_MOUNTLIST.tmp\u003c/code\u003e and removes the temporary copy and the trojanized \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e file from disk.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the \u0026ldquo;libstdc++.so\u0026rdquo; memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the file integrity monitoring rule to detect the creation or modification of \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e and \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e (see \u0026ldquo;File Creation in Suspicious Directory\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply software upgrade recommendations outlined in Cisco\u0026rsquo;s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T15:11:53Z","date_published":"2026-04-23T15:11:53Z","id":"/briefs/2026-04-uat-4356-firestarter/","summary":"UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.","title":"UAT-4356 FIRESTARTER Backdoor Targeting Cisco Firepower Devices","url":"https://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.1,"id":"CVE-2026-20085"},{"cvss":4.8,"id":"CVE-2026-20087"},{"cvss":4.8,"id":"CVE-2026-20088"},{"cvss":4.8,"id":"CVE-2026-20089"},{"cvss":4.8,"id":"CVE-2026-20090"}],"_cs_exploited":false,"_cs_products":["Integrated Management Controller"],"_cs_severities":["medium"],"_cs_tags":["xss","cisco","cimc","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eMultiple cross-site scripting (XSS) vulnerabilities have been identified in the web-based management interface of the Cisco Integrated Management Controller (IMC). Successful exploitation of these vulnerabilities could allow a remote attacker to inject malicious scripts into the web browser of a user accessing the IMC interface. This could lead to session hijacking, sensitive information disclosure, or other malicious activities performed in the context of the user\u0026rsquo;s session. The vulnerabilities were disclosed on 2026-04-22, and Cisco has released software updates to address them. There are no known workarounds. This threat is relevant for organizations using Cisco IMC to manage their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco IMC web interface.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a JavaScript payload designed to execute in the context of a victim\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eAttacker delivers the malicious URL to the victim, typically through phishing, social engineering, or by injecting it into a trusted website.\u003c/li\u003e\n\u003cli\u003eVictim clicks on the malicious URL, or the URL is automatically loaded through a compromised website.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s web browser sends an HTTP request to the vulnerable Cisco IMC web server.\u003c/li\u003e\n\u003cli\u003eThe Cisco IMC web server reflects the attacker\u0026rsquo;s malicious JavaScript payload in the HTTP response without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s web browser executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code executes within the victim\u0026rsquo;s browser, allowing the attacker to steal cookies, redirect the user, or perform other actions on behalf of the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these XSS vulnerabilities could allow an attacker to execute arbitrary JavaScript code in the context of a user\u0026rsquo;s session. This could lead to sensitive information disclosure, such as the theft of session cookies, allowing the attacker to hijack the user\u0026rsquo;s session and gain unauthorized access to the Cisco IMC. The attacker could also redirect the user to a malicious website or deface the IMC web interface. While the specific number of vulnerable systems is unknown, organizations using Cisco IMC are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the software updates released by Cisco to address the vulnerabilities (CVE-2026-20085, CVE-2026-20087, CVE-2026-20088, CVE-2026-20089, CVE-2026-20090).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts against the Cisco IMC web interface.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests containing potentially malicious JavaScript payloads targeting the Cisco IMC web interface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-cisco-imc-xss/","summary":"Multiple cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct an XSS attack against a user of the interface.","title":"Cisco Integrated Management Controller (IMC) Multiple XSS Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-imc-xss/"},{"_cs_actors":["China-nexus cyber actors"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SOHO Routers","IoT Devices","Web Cameras","Video Recorders","Firewalls","Network Attached Storage (NAS) Devices"],"_cs_severities":["high"],"_cs_tags":["covert-network","botnet","china-nexus","compromised-devices"],"_cs_type":"threat","_cs_vendors":["Cisco","Netgear"],"content_html":"\u003cp\u003eA joint advisory highlights a significant shift in tactics employed by China-nexus cyber actors. They are moving away from using individually procured infrastructure and instead leveraging large-scale, externally provisioned networks of compromised devices. These \u0026ldquo;covert networks\u0026rdquo; primarily consist of Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices, but can include any vulnerable device that can be exploited at scale. These networks are used for various purposes, including disguising the origin of malicious activity, scanning networks, delivering malware, communicating with compromised systems, exfiltrating stolen data, and conducting general deniable internet browsing to research new TTPs and victim profiles. These networks are constantly updated and could be used by multiple actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: China-nexus actors exploit vulnerabilities in SOHO routers, IoT devices (web cameras, video recorders), firewalls, and NAS devices.\u003c/li\u003e\n\u003cli\u003eBotnet Establishment: Compromised devices are incorporated into a covert network (botnet), often controlled by Chinese information security companies.\u003c/li\u003e\n\u003cli\u003eReconnaissance: The actors use the botnet to scan target networks, gathering information about potential vulnerabilities and attack surfaces.\u003c/li\u003e\n\u003cli\u003eExploitation: Leveraging the compromised network to mask their origin, the actors exploit identified vulnerabilities in target systems.\u003c/li\u003e\n\u003cli\u003eMalware Delivery: The covert network is used to deliver malware payloads to compromised systems within the target network.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The actors establish command and control (C2) channels through the compromised network to remotely control the malware and maintain access.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Sensitive data is exfiltrated from the compromised network through the covert network, making attribution difficult.\u003c/li\u003e\n\u003cli\u003ePersistence: The actors maintain persistence on compromised systems to ensure continued access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised networks can lead to the exposure of sensitive data, disruption of critical services, and financial losses. The use of covert networks makes attribution difficult, allowing attackers to operate with impunity. The advisory notes that Volt Typhoon has used these techniques to pre-position on critical national infrastructure. The widespread nature of the networks, comprising potentially hundreds of thousands of endpoints, makes traditional network defense strategies like static IP blocklists less effective. In 2024, one such network, Raptor Train, infected over 200,000 devices worldwide.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust patch management practices to keep SOHO routers, IoT devices, and other network devices up-to-date with the latest security patches (reference: Overview).\u003c/li\u003e\n\u003cli\u003eStrengthen network perimeter security by implementing intrusion detection and prevention systems (IDPS) to identify and block malicious traffic originating from suspicious or known compromised IP addresses (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns and anomalies that may indicate the presence of a compromised device or covert network activity (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Outbound Connection to Known SOHO Devices\u0026rdquo; to identify potential compromised devices on your network (reference: rules).\u003c/li\u003e\n\u003cli\u003eSegment networks to limit the potential impact of a compromised device or network segment (reference: Protective Advice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T11:22:42Z","date_published":"2026-04-23T11:22:42Z","id":"/briefs/2026-04-china-nexus-covert-networks/","summary":"China-nexus cyber actors are increasingly using large-scale networks of compromised devices, including SOHO routers and IoT devices, to obscure the origin of their attacks and conduct various malicious activities, from reconnaissance to data exfiltration.","title":"China-Nexus Cyber Actors Using Covert Networks of Compromised Devices","url":"https://feed.craftedsignal.io/briefs/2026-04-china-nexus-covert-networks/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-20128"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-20128","credential-access","sd-wan","cisco"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is affected by a vulnerability (CVE-2026-20128) that allows for the disclosure of stored passwords. An authenticated, local attacker with low privileges can exploit this vulnerability by accessing a credential file on the filesystem. Successful exploitation grants the attacker DCA user privileges, potentially leading to unauthorized access and control over the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance to mitigate risks associated with Cisco SD-WAN devices. This vulnerability highlights the importance of proper credential management and access controls in network management systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains low-privileged access to the Cisco Catalyst SD-WAN Manager system through legitimate credentials or other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates the filesystem to locate the DCA user\u0026rsquo;s credential file.\u003c/li\u003e\n\u003cli\u003eThe attacker reads the credential file, which contains the DCA user\u0026rsquo;s password in a recoverable format.\u003c/li\u003e\n\u003cli\u003eThe attacker decodes or decrypts the password using readily available tools or techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the recovered DCA user credentials to authenticate to the SD-WAN Manager with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the DCA user privileges to perform unauthorized configuration changes or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially pivots to other systems or network segments accessible through the SD-WAN infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the Cisco Catalyst SD-WAN Manager. This could lead to significant disruption of network services, data breaches, and potential compromise of connected systems. The impact is magnified by the widespread use of SD-WAN in enterprise environments, making this a critical vulnerability for organizations utilizing Cisco Catalyst SD-WAN Manager.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and apply the mitigations outlined in CISA\u0026rsquo;s Emergency Directive 26-03 and associated guidance for Cisco SD-WAN devices, as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor file access events on the Cisco Catalyst SD-WAN Manager system for suspicious access patterns to credential files using the \u003ccode\u003eDetect Suspicious SD-WAN Credential File Access\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and password policies on the Cisco Catalyst SD-WAN Manager to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eApply the security updates provided by Cisco to patch CVE-2026-20128 as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-cisco-sdwan-password-disclosure/","summary":"Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.","title":"Cisco Catalyst SD-WAN Manager Password Disclosure Vulnerability (CVE-2026-20128)","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.4,"id":"CVE-2026-20122"}],"_cs_exploited":true,"_cs_products":["Catalyst SD-WAN Manger"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-20122","privilege-escalation","sd-wan"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is vulnerable to an incorrect use of privileged APIs. This flaw stems from improper file handling within the API interface. An attacker can exploit this vulnerability by uploading a malicious file to the local file system. Successful exploitation allows an attacker to overwrite arbitrary files on the affected system and ultimately gain vmanage user privileges. CISA has released Emergency Directive 26-03 and associated hunt/hardening guidance in response to active exploitation of Cisco SD-WAN vulnerabilities. This issue poses a significant risk to organizations utilizing affected Cisco SD-WAN deployments, as it allows for privilege escalation and potential compromise of the entire SD-WAN infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Cisco Catalyst SD-WAN Manager instance with an exposed API interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file designed to exploit the improper file handling vulnerability (CVE-2026-20122).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file to the SD-WAN Manager via the vulnerable API endpoint.\u003c/li\u003e\n\u003cli\u003eDue to improper file handling, the uploaded file is written to an arbitrary location on the file system.\u003c/li\u003e\n\u003cli\u003eThe malicious file overwrites a critical system file, such as a configuration file or a binary executable used by the vmanage user.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a system event or restart a service that uses the overwritten file.\u003c/li\u003e\n\u003cli\u003eThe compromised service or application now executes with the attacker\u0026rsquo;s injected code, granting the attacker vmanage user privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the vmanage user privileges to further compromise the system or the SD-WAN infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-20122) allows an attacker to overwrite arbitrary files and gain vmanage user privileges on the Cisco Catalyst SD-WAN Manager. This can lead to a complete compromise of the SD-WAN management plane, allowing the attacker to reconfigure the network, intercept traffic, or deploy further malicious payloads to connected devices. Given the critical role of SD-WAN in modern network infrastructure, a successful attack can have widespread impact, affecting business operations and data security. CISA\u0026rsquo;s involvement via Emergency Directive 26-03 indicates that this vulnerability is likely under active exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the mitigations recommended by CISA in Emergency Directive 26-03 and the associated hunt/hardening guidance to reduce exposure to this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on critical system files on the Cisco Catalyst SD-WAN Manager to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden the API interface of the SD-WAN Manager to prevent unauthorized file uploads.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-cisco-sdwan-privilege-escalation/","summary":"Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface, allowing an attacker to upload a malicious file and overwrite arbitrary files to gain vmanage user privileges.","title":"Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Microsoft Teams","Google Chrome","Mozilla Firefox","Opera","Cisco WebEx","Discord","WhatsApp","Zoom","Brave Browser","Slack","thunderbird.exe"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft","Google","Mozilla","Opera","Cisco","Discord","WhatsApp","Zoom","Brave"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches a communication application (e.g., Slack, Teams, Webex).\u003c/li\u003e\n\u003cli\u003eThe communication application executes a vulnerable or compromised component.\u003c/li\u003e\n\u003cli\u003eThe compromised component spawns a child process (e.g., powershell.exe, cmd.exe).\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or script.\u003c/li\u003e\n\u003cli\u003eThe script attempts to download additional payloads from an external source.\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the system.\u003c/li\u003e\n\u003cli\u003eData exfiltration or lateral movement within the network occurs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization\u0026rsquo;s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker\u0026rsquo;s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Communication App Child Process\u003c/code\u003e to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e, product: \u003ccode\u003ewindows\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eEnsure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eExamine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-suspicious-comm-app-child-process/","summary":"The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.","title":"Suspicious Child Processes from Communication Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-20133"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","cisco","sd-wan"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is susceptible to an information disclosure vulnerability, identified as CVE-2026-20133. The vulnerability allows unauthorized remote attackers to potentially gain access to sensitive information residing on affected systems. While the exact nature of the disclosed information isn\u0026rsquo;t specified in the advisory, it could encompass configuration details, user credentials, or other sensitive data critical for the secure operation of the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance, highlighting the severity and urging immediate action. The directive impacts organizations utilizing Cisco SD-WAN devices and emphasizes the need for thorough risk assessment and implementation of provided mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e An attacker identifies a publicly accessible endpoint or API within the Cisco Catalyst SD-WAN Manager that is vulnerable to CVE-2026-20133.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Request:\u003c/strong\u003e The attacker crafts a malicious HTTP request targeting the vulnerable endpoint, exploiting the lack of proper authorization checks or input validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Exposure:\u003c/strong\u003e The SD-WAN Manager processes the request and, due to the vulnerability, inadvertently discloses sensitive information. This could be in the form of a file, database content, or API response.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Extraction:\u003c/strong\u003e The attacker captures the exposed data from the response, potentially including configuration files, usernames, passwords, or other sensitive credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e The attacker uses the extracted credentials to gain unauthorized access to other systems within the SD-WAN environment or the broader network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Leveraging compromised credentials, the attacker moves laterally across the network, targeting critical systems and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / System Compromise:\u003c/strong\u003e The attacker exfiltrates sensitive data or achieves complete system compromise, depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20133 can lead to significant consequences, including the compromise of sensitive data, unauthorized access to critical systems, and potential disruption of network operations. Given the central role of SD-WAN managers in controlling network traffic and security policies, a successful attack can have a wide-ranging impact. The number of potentially affected organizations is substantial due to the widespread adoption of Cisco SD-WAN solutions. The impact can include data breaches, financial loss, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately assess your exposure to CVE-2026-20133 by following CISA’s Emergency Directive 26-03 mitigation instructions.\u003c/li\u003e\n\u003cli\u003eApply the necessary patches or workarounds provided by Cisco to remediate the vulnerability as outlined in Cisco\u0026rsquo;s security advisory.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable or cannot be immediately applied, implement the hardening guidance provided in CISA’s “Hunt \u0026amp; Hardening Guidance for Cisco SD-WAN Devices”.\u003c/li\u003e\n\u003cli\u003eFor cloud-based deployments, adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious HTTP requests targeting potential vulnerable endpoints of the Cisco Catalyst SD-WAN Manager.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-19T12:00:00Z","date_published":"2024-01-19T12:00:00Z","id":"/briefs/2024-01-cisco-sdwan-info-disclosure/","summary":"Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.","title":"Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability (CVE-2026-20133)","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["IOS"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-evasion","attack.persistence","attack.credential-access","attack.t1562.001","attack.t1556.004"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThe disabling of 802.1X authentication on a Cisco network device can bypass Network Access Control (NAC) mechanisms, potentially granting unauthorized devices access to the internal network. Attackers or malicious insiders might disable dot1x to establish persistence or facilitate lateral movement by connecting rogue devices to the network. This can be accomplished through CLI commands such as \u0026lsquo;access-session port-control force-authorized\u0026rsquo; or \u0026rsquo;no dot1x system-auth-control\u0026rsquo;, depending on the IOS version. These commands either disable 802.1X on a specific interface or globally across the device. The targeted scope is Cisco network devices utilizing 802.1X for network access control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains privileged access to a Cisco network device via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes CLI commands to disable 802.1X authentication on a specific interface or globally.\u003c/li\u003e\n\u003cli\u003eCommands used may include \u0026lsquo;access-session port-control force-authorized\u0026rsquo;, \u0026lsquo;authentication port-control force-authorized\u0026rsquo;, \u0026lsquo;dot1x port-control force-authorized\u0026rsquo;, \u0026rsquo;no access-session port-control\u0026rsquo;, \u0026rsquo;no authentication port-control\u0026rsquo;, \u0026rsquo;no dot1x port-control\u0026rsquo;, or \u0026rsquo;no dot1x system-auth-control\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe network interface transitions to a force-authorized state, bypassing the normal authentication process.\u003c/li\u003e\n\u003cli\u003eAn unauthorized device is connected to the compromised network interface.\u003c/li\u003e\n\u003cli\u003eThe unauthorized device gains network access without proper authentication or authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys malicious payloads across the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of dot1x can lead to unauthorized network access, allowing attackers to bypass security controls. This can result in the compromise of sensitive data, the spread of malware, and the disruption of network services. The number of affected devices and the scope of the compromise depend on the network architecture and the attacker\u0026rsquo;s objectives. The impact could range from a single compromised workstation to a full-scale network breach affecting thousands of devices and users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Dot1x Disabled\u003c/code\u003e to your SIEM to detect the execution of commands that disable 802.1X authentication.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco AAA logs for events containing keywords such as \u0026lsquo;access-session port-control force-authorized\u0026rsquo; and \u0026rsquo;no dot1x system-auth-control\u0026rsquo; to identify potential attempts to disable dot1x.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all administrative access to Cisco network devices to prevent unauthorized command execution.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the configuration of Cisco network devices to ensure that 802.1X is enabled and properly configured on all relevant interfaces.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-cisco-dot1x-disabled/","summary":"Detection of manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface, potentially allowing unauthorized network access and lateral movement.","title":"Cisco 802.1X (dot1x) Disabled on Network Interface","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-dot1x-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EdgeWebView","Acrobat DC","AMP","Symantec Endpoint Protection","Malwarebytes Anti-Exploit"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Adobe","Symantec","Malwarebytes"],"content_html":"\u003cp\u003eThis detection identifies suspicious process access events on Windows systems where a process attempts to access another process\u0026rsquo;s memory via direct system calls, bypassing standard Windows API calls. Endpoint security solutions often hook userland Windows APIs to detect malicious code execution. Attackers can evade these hooks by directly invoking syscalls, which are lower-level instructions that interact directly with the operating system kernel. The rule specifically looks for process access events (Sysmon Event ID 10) where the call trace does not originate from known Windows system DLLs like ntdll.dll, indicating a potential attempt to bypass security measures. The rule excludes certain legitimate applications, such as Malwarebytes Anti-Exploit, Cisco AMP, Microsoft EdgeWebView, and Adobe Acrobat DC, to reduce false positives. This technique is often employed by advanced malware and red teams to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious process is executed on the system, either through user interaction or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe process attempts to gain access to another process\u0026rsquo;s memory space (Target Process).\u003c/li\u003e\n\u003cli\u003eInstead of using standard Windows API calls, the malicious process directly invokes system calls (syscalls) to access the target process\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCallTrace\u003c/code\u003e in the Sysmon event does not originate from expected system DLLs like \u003ccode\u003entdll.dll\u003c/code\u003e, \u003ccode\u003esysfer.dll\u003c/code\u003e, \u003ccode\u003ewow64cpu.dll\u003c/code\u003e, \u003ccode\u003ewow64win.dll\u003c/code\u003e, or \u003ccode\u003ewin32u.dll\u003c/code\u003e, indicating a direct syscall.\u003c/li\u003e\n\u003cli\u003eThe process might attempt to read sensitive information such as credentials, inject malicious code, or manipulate the target process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe malicious process performs actions within the context of the target process, such as executing injected code or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised process to achieve their objectives, such as data exfiltration, lateral movement, or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker cleans up any traces of their activity and attempts to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data, the injection of malicious code into legitimate processes, and the complete takeover of the affected system. This can result in data breaches, financial loss, and reputational damage. The impact is especially significant if the target process holds sensitive credentials, browser secrets, or has security-product context.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access logging (Event ID 10) with call tracing and ingest the logs into your SIEM to activate the rules above (\u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003ehttps://ela.st/sysmon-event-10-setup\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect direct syscall process access.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the \u003ccode\u003eSourceImage\u003c/code\u003e, \u003ccode\u003eTargetImage\u003c/code\u003e, \u003ccode\u003eGrantedAccess\u003c/code\u003e, and \u003ccode\u003eCallTrace\u003c/code\u003e fields in the Sysmon event to determine the legitimacy of the process access attempt.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of alerts where the target process is \u003ccode\u003elsass.exe\u003c/code\u003e or other security-sensitive processes.\u003c/li\u003e\n\u003cli\u003eImplement robust endpoint detection and response (EDR) solutions to detect and prevent malicious activity on endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creation events originating from the flagged processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-direct-syscall-process-access/","summary":"Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.","title":"Suspicious Process Access via Direct System Call","url":"https://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Network Visibility Module"],"_cs_severities":["high"],"_cs_tags":["endpoint","msiexec","remote-download","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Splunk"],"content_html":"\u003cp\u003eThe detection focuses on identifying instances where \u003ccode\u003emsiexec.exe\u003c/code\u003e is used with an HTTP or HTTPS URL in the command line. This behavior is indicative of an attempt to download and execute potentially malicious software from a remote server. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. The activity is often used to bypass traditional security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003emsiexec.exe\u003c/code\u003e, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.\u003c/li\u003e\n\u003cli\u003eThe command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e downloads the MSI package to the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe MSI package is executed, potentially installing malware, creating new files, or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe installed malware establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware initiates command and control (C2) communication to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of \u003ccode\u003emsiexec.exe\u003c/code\u003e for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from \u003ccode\u003emsiexec.exe\u003c/code\u003e to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003emsiexec.exe\u003c/code\u003e executing with command-line arguments containing HTTP or HTTPS URLs.\u003c/li\u003e\n\u003cli\u003eFilter false positives by destination or parent process as needed based on your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-msiexec-remote-download/","summary":"The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.","title":"Suspicious MSIExec Remote Download","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msiexec-remote-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Access Firewall","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["rdp","bruteforce","credential-access","windows","network"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker scans the network to identify systems with open RDP ports (TCP 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.\u003c/li\u003e\n\u003cli\u003eSysmon logs the network connections with Event ID 3.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to attempt connections, typically exceeding 10 attempts within an hour.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains unauthorized access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install malware, move laterally, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure network traffic data is populating the Network_Traffic data model to enable the provided search query.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRDP Bruteforce via Network Traffic\u003c/code\u003e to detect brute force attempts based on network connection patterns.\u003c/li\u003e\n\u003cli\u003eAdjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate source IPs identified by the detection rule as potential attackers.\u003c/li\u003e\n\u003cli\u003eMonitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.\u003c/li\u003e\n\u003cli\u003eReview the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rdp-bruteforce/","summary":"This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.","title":"Windows Remote Desktop Network Bruteforce Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Cisco AnyConnect Secure Mobility Client","Cisco Secure Client","Oracle Database"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Oracle"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for enforcing security policies and handling user authentication. Attackers often target LSASS to extract credentials, enabling unauthorized access and privilege escalation. This detection rule identifies suspicious access attempts to LSASS memory, which may indicate credential dumping activities. It filters out common legitimate processes and access patterns to highlight anomalous behaviors associated with credential theft. The rule is designed to detect unauthorized access attempts by monitoring process access events and filtering out known benign processes that interact with LSASS. It helps defenders identify potential credential access attempts before they lead to significant compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious process or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to gain a handle to the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s tool requests specific access rights to LSASS, such as \u003ccode\u003eReadProcessMemory\u003c/code\u003e (0x0010) or \u003ccode\u003ePROCESS_QUERY_INFORMATION\u003c/code\u003e (0x0400), which are necessary for memory dumping.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s process bypasses or disables endpoint detection and response (EDR) solutions to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe tool dumps the LSASS memory, extracting sensitive information like usernames, passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally within the network, accessing other systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful LSASS memory dump can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive data and systems. This can result in data breaches, financial loss, and reputational damage. Organizations across all sectors are vulnerable, particularly those with weak credential management practices. A single compromised account can lead to widespread damage, potentially affecting thousands of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access event logging (Event ID 10) as described in the setup instructions linked in the rule to collect the necessary data.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Lsass Process Access\u0026rdquo; to your SIEM and tune the exclusions based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eReview and harden privileged account management practices to limit the impact of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual process creation events, especially those spawning from unexpected locations, to identify potential initial access points.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for vulnerabilities and apply patches to prevent exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-lsass-access/","summary":"This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.","title":"Suspicious LSASS Process Access","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-lsass-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Edge","Cisco Spark","Admin By Request","Cloud Signature Update Agent","Vantage","Adobe Reader and Acrobat Manager"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","runkey"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","FastTrack Software","Exclaimer Ltd","Lenovo","Adobe"],"content_html":"\u003cp\u003eAttackers often modify registry run keys to achieve persistence on a system. By adding entries to these keys, they ensure that a malicious program executes automatically whenever a user logs in. This technique allows the attacker to maintain access to the compromised system even after reboots or other interruptions. The programs added to these run keys execute under the context of the user account, inheriting its permissions. This activity is often difficult to distinguish from legitimate software installations or updates, requiring careful analysis to identify malicious intent. Elastic has observed this activity and created a detection rule to identify this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies registry run key locations for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a registry run key (e.g., \u003ccode\u003eHKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u003c/code\u003e) using tools such as \u003ccode\u003ereg.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a malicious executable path to the registry key.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or a user logs in.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is launched automatically as part of the logon process.\u003c/li\u003e\n\u003cli\u003eThe malicious executable establishes a connection to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to perform unauthorized activities such as data theft, lateral movement, and deployment of ransomware. While each instance may not cause immediate critical damage, the cumulative effect of multiple persistent infections across an environment can lead to significant data breaches and operational disruption. The Elastic rule attempts to minimize false positives with built-in filters for common legitimate applications and processes like \u003ccode\u003ectfmon.exe\u003c/code\u003e, but tuning is required.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious modifications to registry run keys and tune it to filter out legitimate application updates.\u003c/li\u003e\n\u003cli\u003eEnable registry event logging to capture modifications made to the registry, ensuring that the Sigma rule can function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, examining the parent process of the process modifying the registry for suspicious activity.\u003c/li\u003e\n\u003cli\u003eBlock known malicious executables and domains identified during triage to prevent further infection.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend to gain enhanced visibility into endpoint activity and detect malicious behavior associated with persistence mechanisms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-run-key-registry-modification/","summary":"Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.","title":"Startup or Run Key Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Slack","WebEx","Teams","Discord","Rocket.Chat","Mattermost","WhatsApp","Zoom","Outlook","Thunderbird"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Slack Technologies","Cisco","Microsoft","Discord","Rocket.Chat Technologies","Mattermost","WhatsApp","Zoom Video Communications","Mozilla"],"content_html":"\u003cp\u003eAttackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications. This involves using names and icons that resemble trusted applications like Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird to trick users and bypass security measures. This technique can be used to conceal malicious activity, bypass allowlists, or trick users into executing malware. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures, which helps in flagging potential threats that mimic trusted communication tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious executable onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the malicious executable to resemble a legitimate communication application, such as \u0026ldquo;slack.exe\u0026rdquo; or \u0026ldquo;Teams.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or removes the code signature of the malicious executable to avoid detection based on trusted publishers.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed and potentially unsigned malicious executable.\u003c/li\u003e\n\u003cli\u003eThe masqueraded process performs malicious actions, such as establishing a reverse shell or downloading additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network, escalating privileges and compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe final objective is to exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful masquerading attacks can lead to significant security breaches, including data theft, system compromise, and financial loss. By disguising malicious processes as legitimate communication apps, attackers can bypass security controls and operate undetected for extended periods. This can result in widespread damage and disruption, as well as reputational damage for the targeted organization. The impact can range from a few compromised systems to a complete network takeover, depending on the attacker\u0026rsquo;s objectives and the effectiveness of the masquerading technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Masquerading as Communication Apps - Generic\u0026rdquo; to your SIEM and tune for your environment to detect unsigned or improperly signed communication applications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Masquerading as Communication Apps - Specific\u0026rdquo; to your SIEM and tune for your environment to detect unsigned or improperly signed instances of specific communication applications.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows systems to capture the necessary events for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview and validate the code signatures of all communication apps on your systems to ensure they are properly signed by trusted entities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-masquerading-communication-apps/","summary":"Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.","title":"Potential Masquerading as Communication Apps","url":"https://feed.craftedsignal.io/briefs/2024-01-masquerading-communication-apps/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","CISCO Talos"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","smb","file-transfer","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","Cisco"],"content_html":"\u003cp\u003eThis detection rule identifies the potential transfer of malicious tools within a Windows environment using SMB shares. Attackers commonly leverage SMB shares to propagate malware, tools, or scripts to compromised systems for lateral movement. The rule focuses on detecting the creation or modification of executable files (e.g., .exe, .dll, .ps1) on network shares, which is a strong indicator of malicious activity. The rule leverages Elastic Defend data to detect this activity and can be used to identify systems that may be compromised. This technique is used to deploy additional payloads, credential dumpers, or other malicious tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies accessible SMB shares within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to connect to a target SMB share (port 445) on another system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies an executable file (e.g., malware, a credential dumping tool, or a PowerShell script) to the SMB share.\u003c/li\u003e\n\u003cli\u003eThe target system detects a new file creation or change event on the SMB share.\u003c/li\u003e\n\u003cli\u003eA user or process on the target system executes the transferred file.\u003c/li\u003e\n\u003cli\u003eThe executed file performs malicious actions on the target system, such as credential theft or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly compromised system to further expand their access within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to propagate malware or malicious tools throughout the network, leading to widespread compromise. Lateral movement enables attackers to access sensitive data, escalate privileges, and ultimately achieve their objectives, which may include data exfiltration, ransomware deployment, or system disruption. The rule aims to detect this activity early in the attack chain and mitigate potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious executable file creation/modification events on SMB shares.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend on all Windows endpoints to provide the necessary data for the detection rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process execution chain, file reputation, and user activity.\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file transfers.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 445 (SMB) for suspicious activity, especially connections originating from unusual source IPs (Sigma rule, log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lateral-tool-transfer-smb/","summary":"The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.","title":"Potential Lateral Tool Transfer via SMB Share","url":"https://feed.craftedsignal.io/briefs/2024-01-lateral-tool-transfer-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Firewall Threat Defense","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Secure Access Firewall"],"_cs_severities":["high"],"_cs_tags":["network","smb","lateral-movement","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker\u0026rsquo;s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to \u0026ldquo;Hidden Cobra Malware\u0026rdquo;, \u0026ldquo;DHS Report TA18-074A\u0026rdquo;, and \u0026ldquo;NOBELIUM Group\u0026rdquo;, suggesting possible connections to these threat actors or campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn internal host is compromised through an initial access vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate network resources accessible from the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages SMB to connect to external servers, typically on ports 139 or 445.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate or negotiate with the external server.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to exploit vulnerabilities in the SMB protocol or server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures or relays credential hashes transmitted over the SMB connection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn\u0026rsquo;t specified, the detection\u0026rsquo;s relevance to known threat actors suggests potentially widespread impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOutbound SMB Traffic Detected\u003c/code\u003e to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference \u003ccode\u003edetect_outbound_smb_traffic_filter\u003c/code\u003e macro in the original search).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict internal hosts from directly accessing external SMB services.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eCategorize internal CIDR blocks as \u003ccode\u003einternal\u003c/code\u003e in your asset management system to reduce false positives (reference \u0026ldquo;known_false_positives\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eConsider blocking external communications of all SMB versions and related protocols at the network boundary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-outbound-smb/","summary":"This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.","title":"Outbound SMB Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2023-20185"}],"_cs_exploited":false,"_cs_products":["Nexus 9000 Series Fabric Switches in ACI mode"],"_cs_severities":["high"],"_cs_tags":["cve-2023-20185","information-disclosure","network"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA vulnerability exists within the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches when operating in ACI mode. This flaw enables an unauthenticated, remote adversary to potentially decipher and manipulate encrypted traffic traversing between sites. The vulnerability, identified as CVE-2023-20185, originates from an issue in the cipher implementation employed by the CloudSec encryption feature. Cisco has deprecated and removed the affected ACI Multi-Site CloudSec encryption feature.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a network position on-path between ACI sites.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts intersite encrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the captured traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the weak cipher implementation.\u003c/li\u003e\n\u003cli\u003eThe attacker decrypts the intercepted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive data within the decrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the decrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker re-encrypts (or forwards unencrypted) the modified traffic toward the destination.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-20185 allows unauthorized reading and modification of data transmitted between ACI sites. The impact can range from data breaches and intellectual property theft to manipulated financial transactions and compromised control systems. The lack of a workaround necessitates immediate action to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply configuration changes to remove usage of the CloudSec encryption feature.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns indicative of man-in-the-middle attacks targeting intersite communication.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts targeting intersite traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cisco-aci-cloudsec/","summary":"A vulnerability in Cisco ACI Multi-Site CloudSec encryption allows a remote attacker to read or modify intersite encrypted traffic due to a flaw in cipher implementation.","title":"Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-aci-cloudsec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Slack","WebEx","Teams","Discord","WhatsApp","Zoom","Outlook","Thunderbird","Grammarly","Dropbox","Tableau","Google Drive","MSOffice","Okta","OneDrive","Chrome","Firefox","Edge","Brave","GoogleCloud Related Tools","Github Related Tools","Notion"],"_cs_severities":["medium"],"_cs_tags":["masquerading","defense-evasion","initial-access","malware","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Slack","Cisco","Microsoft","Discord","Zoom","Mozilla","Grammarly","Dropbox","Tableau","Google","Okta","Brave","GitHub","Notion"],"content_html":"\u003cp\u003eAttackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim\u0026rsquo;s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user visits a compromised website or clicks on a malicious advertisement.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.\u003c/li\u003e\n\u003cli\u003eThe downloaded executable is placed in the user\u0026rsquo;s Downloads folder (e.g., C:\\Users*\\Downloads*).\u003c/li\u003e\n\u003cli\u003eThe user executes the downloaded file.\u003c/li\u003e\n\u003cli\u003eThe executable, lacking a valid code signature, begins execution.\u003c/li\u003e\n\u003cli\u003eThe malicious installer may drop and execute additional malware components.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence, potentially using techniques such as registry key modification.\u003c/li\u003e\n\u003cli\u003eThe malware performs malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003ePotential Masquerading as Business App Installer\u003c/code\u003e to detect unsigned executables resembling legitimate business applications in download directories.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture the execution of unsigned executables.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of downloading and executing files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications.\u003c/li\u003e\n\u003cli\u003eRegularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes originating from the Downloads folder that lack valid code signatures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-masquerading-business-apps/","summary":"Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.","title":"Masquerading Business Application Installers","url":"https://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Cisco Secure Access Firewall","Palo Alto Network Traffic"],"_cs_severities":["medium"],"_cs_tags":["network-traffic","command-and-control","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Splunk","Cisco","Palo Alto"],"content_html":"\u003cp\u003eThis detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a host within the network.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates ICMP traffic to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.\u003c/li\u003e\n\u003cli\u003eThe compromised host uses ICMP for command and control, receiving instructions from the external attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Large ICMP Traffic\u003c/code\u003e to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eDetect Large ICMP Traffic\u003c/code\u003e rule, focusing on the source and destination IPs involved.\u003c/li\u003e\n\u003cli\u003eExamine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.\u003c/li\u003e\n\u003cli\u003eUtilize the provided search \u003ccode\u003eView the detection results\u003c/code\u003e to review related events and potential lateral movement.\u003c/li\u003e\n\u003cli\u003eImplement the provided search \u003ccode\u003eView risk events\u003c/code\u003e to look at risk factors for the involved assets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-large-icmp-traffic/","summary":"This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.","title":"Large ICMP Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-large-icmp-traffic/"}],"language":"en","title":"CraftedSignal Threat Feed — Cisco","version":"https://jsonfeed.org/version/1.1"}