{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/crowdstrike/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon Registry Events","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["port-forwarding","registry-modification","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may configure port forwarding rules to bypass network segmentation restrictions, effectively using the compromised host as a jump box to access previously unreachable systems. This involves modifying the registry to redirect incoming TCP connections from a local port to another port or a remote computer. The technique is typically employed post-compromise to facilitate lateral movement and maintain unauthorized access within the network. This activity is detected by monitoring changes to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command-line interface (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e) with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e cmdlet to modify the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a new port forwarding rule by creating a new subkey under \u003ccode\u003ev4tov4\\\u003c/code\u003e with specific settings for the local port, remote address, and remote port.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eListenAddress\u003c/code\u003e, \u003ccode\u003eListenPort\u003c/code\u003e, \u003ccode\u003eConnectAddress\u003c/code\u003e, and \u003ccode\u003eConnectPort\u003c/code\u003e values within the new subkey.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful creation and activation of the port forwarding rule using \u003ccode\u003enetsh interface portproxy show v4tov4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created port forwarding rule to tunnel traffic through the compromised host, bypassing network segmentation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the proxied connection to access internal resources and conduct further attacks, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass network segmentation restrictions, leading to unauthorized access to internal systems and data. This can facilitate lateral movement, data exfiltration, and further compromise of the network. The severity of the impact depends on the sensitivity of the accessible resources and the extent of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys, enabling detection of malicious port forwarding rule additions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Port Forwarding Rule Addition via Registry Modification\u0026rdquo; to your SIEM to detect suspicious registry modifications related to port forwarding.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process execution chain and the user account that performed the action.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing port forwarding rules to identify and remove any unauthorized or suspicious configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-port-forwarding-registry/","summary":"An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.","title":"Windows Port Forwarding Rule Addition via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-port-forwarding-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Zoom.exe, potentially indicating an attempt to evade detection or exploit vulnerabilities within the Zoom application. The rule focuses on detecting instances where command interpreters like cmd.exe, PowerShell, or PowerShell ISE are launched as child processes of Zoom. This behavior can be indicative of an attacker attempting to execute malicious commands or scripts within the context of the Zoom application, potentially escalating privileges or gaining unauthorized access to system resources. It\u0026rsquo;s crucial for defenders to investigate such occurrences, as they may signify ongoing exploitation or malicious activity leveraging Zoom as an initial access vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches the Zoom application (Zoom.exe).\u003c/li\u003e\n\u003cli\u003eA vulnerability in Zoom is exploited, or the user is socially engineered into running a malicious command.\u003c/li\u003e\n\u003cli\u003eZoom.exe spawns a child process, such as cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands or scripts, potentially downloading or executing malware.\u003c/li\u003e\n\u003cli\u003eThe malicious script or command performs reconnaissance activities on the system.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to execute arbitrary commands, escalate privileges, and compromise the affected system. Depending on the user\u0026rsquo;s privileges, attackers could gain access to sensitive data, install malware, or pivot to other systems on the network. The impact ranges from data breaches to complete system compromise, potentially affecting all users within the organization who utilize the Zoom application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Zoom Child Process\u0026rdquo; to your SIEM to detect command interpreters spawned by Zoom.exe. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, which is essential for the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments and network connections of the spawned processes.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for process creation events related to Zoom.exe and its child processes to identify suspicious behavior.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of unauthorized processes within the Zoom application context.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-suspicious-zoom-child-process/","summary":"A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.","title":"Suspicious Zoom Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-11-suspicious-zoom-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon","Crowdstrike","SentinelOne Cloud Funnel","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["powershell","malware","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to download a malicious payload from a remote server using commands like \u003ccode\u003eDownloadFile\u003c/code\u003e or \u003ccode\u003eDownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.\u003c/li\u003e\n\u003cli\u003ePowerShell is then used to decode or deobfuscate the payload using methods like \u003ccode\u003e[Convert]::FromBase64String\u003c/code\u003e or \u003ccode\u003e[char[]](...) -join ''\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated payload is executed directly in memory using techniques like \u003ccode\u003eiex\u003c/code\u003e (Invoke-Expression) or \u003ccode\u003eReflection.Assembly.Load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use techniques like \u003ccode\u003eWebClient\u003c/code\u003e to download files from a remote URL.\u003c/li\u003e\n\u003cli\u003eCommands like \u003ccode\u003enslookup -q=txt\u003c/code\u003e are used for command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eContinuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-susp-powershell-args/","summary":"This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.","title":"Suspicious Windows PowerShell Arguments Detected","url":"https://feed.craftedsignal.io/briefs/2024-09-susp-powershell-args/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["lolbas","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThe Windows command line debugging utility, cdb.exe, is a legitimate tool used for debugging applications. However, adversaries can exploit it to execute unauthorized commands or shellcode, bypassing security measures. This can be achieved by running cdb.exe from non-standard installation paths and using specific command-line arguments to execute malicious commands. The LOLBAS project documents this technique, highlighting its potential for defense evasion. This activity has been observed across various environments, necessitating detection strategies that focus on identifying anomalous executions of cdb.exe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies cdb.exe to a non-standard location (outside \u0026ldquo;Program Files\u0026rdquo; and \u0026ldquo;Program Files (x86)\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker executes cdb.exe with the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, or \u003ccode\u003e-pd\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eThese arguments are used to specify a command file or execute a direct command.\u003c/li\u003e\n\u003cli\u003eThe command file or command directly executes malicious code, such as shellcode.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as creating new processes, modifying files, or establishing network connections.\u003c/li\u003e\n\u003cli\u003eThese actions allow the attacker to maintain persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to evade defenses and execute arbitrary code on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute arbitrary commands and shellcode on the affected system, potentially leading to complete system compromise. This can result in data theft, installation of malware, or further propagation within the network. The technique is effective at bypassing application whitelisting and other security controls that rely on standard execution paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution via Windows Command Debugging Utility\u0026rdquo; to your SIEM to detect suspicious cdb.exe executions (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent execution of cdb.exe from non-standard paths.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, and \u003ccode\u003e-pd\u003c/code\u003e flags when cdb.exe is executed.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of cdb.exe running from unusual directories to determine legitimacy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-cdb-execution/","summary":"Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.","title":"Suspicious Execution via Windows Command Debugging Utility","url":"https://feed.craftedsignal.io/briefs/2024-07-cdb-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to Subject Interface Package (SIP) providers, a critical component of the Windows cryptographic system responsible for validating file signatures. Attackers may attempt to subvert trust controls by modifying SIP providers, allowing them to bypass signature validation checks and potentially inject malicious code into trusted processes. This activity is a form of defense evasion, allowing unauthorized code execution. The rule focuses on detecting suspicious registry changes associated with SIP providers, while excluding known benign processes to minimize false positives. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon. This activity is related to MITRE ATT\u0026amp;CK technique T1553.003 (SIP and Trust Provider Hijacking).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry keys associated with SIP providers, specifically targeting \u003ccode\u003eCryptSIPDllPutSignedDataMsg\u003c/code\u003e and \u003ccode\u003eTrust\\\\FinalPolicy\u003c/code\u003e locations.\u003c/li\u003e\n\u003cli\u003eThe attacker changes the \u003ccode\u003eDll\u003c/code\u003e value within these registry keys to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe system, upon attempting to validate a file signature, loads the malicious DLL instead of the legitimate SIP provider.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code, potentially injecting it into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the injected code to further compromise the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of SIP providers allows attackers to bypass signature validation checks, leading to the execution of unsigned or malicious code. This can compromise the integrity of the system, leading to data breaches, system instability, or further propagation of malware within the network. The impact can range from individual workstation compromise to widespread organizational damage, depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SIP Provider Modification via Registry\u003c/code\u003e to your SIEM and tune it for your environment to detect suspicious registry modifications related to SIP providers.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rules, focusing on the process responsible for the registry change and the DLL being loaded, as described in the rule\u0026rsquo;s triage section.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted code.\u003c/li\u003e\n\u003cli\u003eMonitor the registry paths listed in the Sigma rules for unexpected changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-sip-provider-modification/","summary":"This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.","title":"SIP Provider Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-sip-provider-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the modification of Discretionary Access Control Lists (DACLs) for Windows services using the \u003ccode\u003esc.exe\u003c/code\u003e utility. Attackers can leverage this technique to deny access to a service, making it unmanageable or hiding it from system administrators and users. The detection rule focuses on identifying instances where \u003ccode\u003esc.exe\u003c/code\u003e is used with the \u003ccode\u003esdset\u003c/code\u003e argument, specifically targeting the denial of access for key user groups such as IU, SU, BA, SY, and WD. This activity is indicative of a defense evasion attempt aimed at hindering security tools or preventing remediation. The rule is designed for data generated by Elastic Defend, but also supports integrations with third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, offering broad coverage for detecting this malicious behavior across diverse environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions to modify service configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003esdset\u003c/code\u003e command to modify the DACL of a targeted service.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esdset\u003c/code\u003e command arguments specify the new security descriptor, denying access to specific user groups (e.g., IU, SU, BA, SY, WD).\u003c/li\u003e\n\u003cli\u003eThe service becomes inaccessible to the targeted user groups, potentially disrupting legitimate operations or security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process for multiple services to further impair system functionality or evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled or hidden services to maintain persistence or carry out other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of service DACLs can lead to a denial-of-service condition for legitimate users and system administrators. This can impair the functionality of critical security tools, hinder incident response efforts, and provide attackers with a persistent foothold on the compromised system. The hiding of services can also prevent users from identifying and removing malicious services. While the number of victims is not specified in the source, organizations across various sectors are potentially vulnerable to this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eService DACL Modification via sc.exe\u003c/code\u003e to your SIEM to detect this specific behavior.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003esc.exe\u003c/code\u003e is used with the \u003ccode\u003esdset\u003c/code\u003e argument and access denial flags, focusing on the targeted user groups (IU, SU, BA, SY, WD).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitor for unauthorized attempts to modify service configurations.\u003c/li\u003e\n\u003cli\u003eRegularly audit service permissions to identify and remediate any unauthorized changes.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-service-dacl-modification/","summary":"Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.","title":"Service DACL Modification via sc.exe","url":"https://feed.craftedsignal.io/briefs/2024-07-service-dacl-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Sysmon","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike Falcon"],"_cs_severities":["medium"],"_cs_tags":["initial-access","rdp","phishing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\\Local\\Temp), and Outlook content cache (INetCache\\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email containing a malicious RDP file as an attachment.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the RDP file, initiating the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e attempts to establish a remote desktop connection based on the RDP file\u0026rsquo;s settings.\u003c/li\u003e\n\u003cli\u003eIf the connection is successful, the attacker gains unauthorized access to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker\u0026rsquo;s objectives and the scope of the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRemote Desktop File Opened from Suspicious Path\u003c/code\u003e to your SIEM and tune for your environment, focusing on the specified file paths and \u003ccode\u003emstsc.exe\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to capture the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e and the paths of the RDP files being opened.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.\u003c/li\u003e\n\u003cli\u003eImplement strict email filtering to block or quarantine emails with RDP attachments from external sources.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-rdp-file-attachment/","summary":"Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.","title":"Remote Desktop File Opened from Suspicious Path","url":"https://feed.craftedsignal.io/briefs/2024-11-rdp-file-attachment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["low"],"_cs_tags":["defense evasion","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Sysinternals SDelete utility is a legitimate tool developed by Microsoft for securely deleting files by overwriting and renaming them multiple times. While intended for secure data disposal, adversaries can abuse SDelete to remove forensic artifacts, destroy evidence of their activities, and impede data recovery efforts after a successful ransomware attack or data theft. This activity can be used as a post-exploitation technique. This detection rule focuses on identifying file name patterns indicative of SDelete\u0026rsquo;s operation, specifically detecting files with names resembling \u0026ldquo;*AAA.AAA\u0026rdquo;. The rule is designed to work with various endpoint detection and response solutions, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and CrowdStrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain the necessary permissions to delete files.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or utilizes an existing copy of the SDelete utility.\u003c/li\u003e\n\u003cli\u003eThe attacker executes SDelete against targeted files or directories.\u003c/li\u003e\n\u003cli\u003eSDelete overwrites the targeted file(s) multiple times with random data.\u003c/li\u003e\n\u003cli\u003eSDelete renames the file(s) multiple times, often with patterns such as \u0026ldquo;*AAA.AAA\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eSDelete deletes the file(s) making recovery difficult.\u003c/li\u003e\n\u003cli\u003eThe attacker removes SDelete or any associated tools to further cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can result in the permanent deletion of crucial forensic artifacts, log files, or even critical data. This can severely hinder incident response efforts, making it challenging to identify the scope of the attack, the attacker\u0026rsquo;s methods, and the compromised assets. The number of victims and affected sectors depends on the scale of the initial breach and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Secure File Deletion via SDelete Utility\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule, focusing on the process execution chain and identifying the user account involved.\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to the user account to ensure the least privilege principle is followed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to enhance visibility into file creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-28-sdelete-filename-rename/","summary":"This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.","title":"Potential Secure File Deletion via SDelete Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-28-sdelete-filename-rename/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","ntlm","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects a specific defense evasion technique where an attacker modifies the Windows registry to force a system to use the less secure NTLMv1 authentication protocol. This is known as a NetNTLMv1 downgrade attack. The registry modification involves changing the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value, which controls the authentication level. Attackers with local administrator privileges can perform this modification to weaken the authentication mechanism, making it easier to intercept and crack credentials. The rule is designed to detect this activity by monitoring registry events from various sources, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Crowdstrike. It is important to monitor for this activity as it can lead to credential theft and further compromise of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local administrator privileges on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a registry editor or command-line tool (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value in the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to one of the following registry paths: \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel\u003c/code\u003e or \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value to \u0026ldquo;0\u0026rdquo;, \u0026ldquo;1\u0026rdquo;, or \u0026ldquo;2\u0026rdquo; (or their hexadecimal equivalents \u0026ldquo;0x00000000\u0026rdquo;, \u0026ldquo;0x00000001\u0026rdquo;, \u0026ldquo;0x00000002\u0026rdquo;). These values force the system to use NTLMv1.\u003c/li\u003e\n\u003cli\u003eThe system now uses NTLMv1 for authentication attempts.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a man-in-the-middle attack to capture NTLMv1 authentication traffic using tools like Responder or Inveigh.\u003c/li\u003e\n\u003cli\u003eThe captured NTLMv1 hashes are cracked using brute-force or dictionary attacks, revealing the user\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to network resources or other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful NetNTLMv1 downgrade attack can lead to the compromise of user credentials, enabling attackers to move laterally within the network, access sensitive data, and potentially escalate privileges. The impact can range from data breaches to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the compromised user\u0026rsquo;s privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential NetNTLMv1 Downgrade Attack\u0026rdquo; to detect registry modifications setting \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to insecure values (0, 1, 2) within the specified registry paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview registry event logs for unauthorized modifications of \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to confirm legitimate administrative actions.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit local administrator privileges and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor the references URL for updates on recommended security configurations related to NTLM authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-netntlmv1-downgrade/","summary":"This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.","title":"Potential NetNTLMv1 Downgrade Attack via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-netntlmv1-downgrade/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Filtering Platform","elastic-agent","elastic-endpoint"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-filtering-platform","endpoint-security"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Bitdefender","VMware Carbon Black","Comodo","Vectra AI","Cybereason","Cylance","Elastic","ESET","Broadcom","Fortinet","Kaspersky","Malwarebytes","McAfee","Qualys","SentinelOne","Sophos","Symantec","Trend Micro","BeyondTrust","CrowdStrike","Splunk","Tanium"],"content_html":"\u003cp\u003eThe Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., leveraging the \u003ccode\u003enetsh\u003c/code\u003e command or custom WFP API calls) to create a new WFP filter.\u003c/li\u003e\n\u003cli\u003eThe WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., \u003ccode\u003eelastic-agent.exe\u003c/code\u003e, \u003ccode\u003esysmon.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system begins blocking network communication from the targeted security software.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker\u0026rsquo;s scope and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit WFP rules to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for systems authorized to modify WFP rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-wfp-evasion/","summary":"Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.","title":"Potential Evasion via Windows Filtering Platform Blocking Security Software","url":"https://feed.craftedsignal.io/briefs/2026-05-wfp-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled (set to 1), allows remote connections from local members of the Administrators group to be granted full high-integrity tokens during negotiation. This bypasses User Account Control (UAC) restrictions, allowing for elevated privileges remotely. Attackers may modify this registry setting to facilitate lateral movement within a network. This rule detects modifications to this specific registry setting, alerting on potential unauthorized changes that could lead to defense evasion and privilege escalation. The modification of this policy has been observed being leveraged in conjunction with pass-the-hash attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains local administrator credentials on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the LocalAccountTokenFilterPolicy registry key to a value of 1. This is done to allow remote connections from local administrator accounts to receive high-integrity tokens. The registry key is typically located at \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a \u0026ldquo;pass the hash\u0026rdquo; attack (T1550.002) using the compromised local administrator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the \u0026ldquo;pass the hash\u0026rdquo; technique and the modified LocalAccountTokenFilterPolicy.\u003c/li\u003e\n\u003cli\u003eDue to the LocalAccountTokenFilterPolicy being enabled, the remote connection from the local administrator account receives a full high-integrity token.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses UAC on the remote system, gaining elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities on the remote system, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the LocalAccountTokenFilterPolicy allows attackers to bypass User Account Control (UAC) and gain elevated privileges on remote systems, potentially leading to unauthorized access to sensitive data, lateral movement across the network, and the deployment of ransomware. The overall impact can include data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized modifications to the LocalAccountTokenFilterPolicy registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the registry, which is required for the \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule query and ensure they are legitimate and necessary to prevent false positives.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e path, specifically looking for changes to the value data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-02-local-account-token-filter-policy-disabled/","summary":"Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.","title":"Local Account TokenFilter Policy Modification for Defense Evasion and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-02-local-account-token-filter-policy-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR"],"_cs_severities":["low"],"_cs_tags":["discovery","domain-trust","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003edsquery.exe\u003c/code\u003e utility is a command-line tool in Windows used to query Active Directory. Attackers may leverage \u003ccode\u003edsquery.exe\u003c/code\u003e to discover domain trust relationships within a Windows environment, mapping out potential lateral movement paths. This discovery is often an early stage in reconnaissance, before an attacker attempts to move laterally to other systems. This activity can be detected across various endpoint detection platforms including Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne. This activity is not inherently malicious, as administrators also use it for legitimate purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edsquery.exe\u003c/code\u003e with the argument \u003ccode\u003eobjectClass=trustedDomain\u003c/code\u003e to enumerate domain trusts.\u003c/li\u003e\n\u003cli\u003eThe command execution is logged by endpoint detection and response (EDR) solutions or Windows Security Event Logs.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of the \u003ccode\u003edsquery.exe\u003c/code\u003e command to identify trusted domains and their attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered trust information to plan lateral movement strategies.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to other systems within the trusted domains using stolen credentials or other exploits.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts enables attackers to map out the Active Directory environment and identify potential pathways for lateral movement. While the enumeration itself is low impact, it facilitates subsequent actions like credential theft, privilege escalation, and data exfiltration. This can lead to widespread compromise across the organization, impacting numerous systems and sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Enumerating Domain Trusts via DSQUERY.EXE\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any execution of \u003ccode\u003edsquery.exe\u003c/code\u003e with the argument \u003ccode\u003eobjectClass=trustedDomain\u003c/code\u003e to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003edsquery.exe\u003c/code\u003e to detect suspicious command-line arguments and execution patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-domain-trust-discovery/","summary":"Adversaries may use the `dsquery.exe` command-line utility to enumerate trust relationships for lateral movement in Windows multi-domain environments.","title":"Enumerating Domain Trusts via DSQUERY.EXE","url":"https://feed.craftedsignal.io/briefs/2026-05-domain-trust-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","code-signing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may attempt to subvert trust controls by disabling or modifying the code signing policy. This allows them to execute unsigned or self-signed malicious code. This can be achieved by modifying boot configuration data (BCD) settings using the built-in bcdedit.exe utility on Windows. Disabling Driver Signature Enforcement (DSE) allows the loading of untrusted drivers, which can compromise system integrity. The rule identifies commands that can disable the Driver Signature Enforcement feature. The scope of the targeting is broad, as it can affect any Windows system where an attacker gains sufficient privileges to modify the BCD settings. This activity is detected by analyzing process execution events for specific command-line arguments used with bcdedit.exe. The detection rule was last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains administrative privileges on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ebcdedit.exe\u003c/code\u003e with arguments to disable driver signature enforcement. Example: \u003ccode\u003ebcdedit.exe /set testsigning on\u003c/code\u003e or \u003ccode\u003ebcdedit.exe /set nointegritychecks on\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebcdedit.exe\u003c/code\u003e modifies the Boot Configuration Data (BCD) store.\u003c/li\u003e\n\u003cli\u003eThe system is restarted to apply the changes made to the BCD.\u003c/li\u003e\n\u003cli\u003eThe attacker loads an unsigned or self-signed malicious driver.\u003c/li\u003e\n\u003cli\u003eThe malicious driver executes with kernel-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities such as installing rootkits, bypassing security controls, or stealing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious driver is loaded on subsequent system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the code signing policy can lead to the execution of unsigned or self-signed malicious code, which can compromise the integrity and security of the system. Attackers can install rootkits, bypass security controls, or steal sensitive data. The impact can range from individual system compromise to broader network-wide attacks, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Code Signing Policy Modification Through Built-in Tools\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003ebcdedit.exe\u003c/code\u003e with arguments used to disable code signing (process.args).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments on Windows systems to ensure the Sigma rule can capture the relevant events (logsource).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of code signing policy modification, as this activity is typically not legitimate and can indicate malicious activity. The rule \u003ccode\u003eFirst Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\u003c/code\u003e can be used to detect suspicious drivers loaded into the system after the command was executed.\u003c/li\u003e\n\u003cli\u003eEnsure that Driver Signature Enforcement is enabled on all systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-09-code-signing-policy-modification/","summary":"Attackers may attempt to disable or modify code signing policies on Windows systems by using built-in tools like bcdedit.exe in order to execute unsigned or self-signed malicious code.","title":"Code Signing Policy Modification Through Built-in Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-09-code-signing-policy-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","sentinel_one_cloud_funnel","crowdstrike.fdr"],"_cs_severities":["high"],"_cs_tags":["container-escape","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule monitors for a specific sequence of commands on Linux systems that could indicate an attempt to escape a containerized environment. The attack involves first mounting a file system, typically targeting the host\u0026rsquo;s root file system, and then using the \u003ccode\u003echroot\u003c/code\u003e command to change the root directory. This combination, if successful, allows an attacker inside a container to gain unauthorized access to the host system. The rule is designed to identify this uncommon behavior pattern, which is a strong indicator of malicious activity. The rule is applicable to environments utilizing Elastic Defend, SentinelOne Cloud Funnel, and Crowdstrike FDR. The detection looks for this sequence occurring within a 5-minute timeframe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, possibly through exploiting a vulnerability or misconfiguration in the application running within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to mount the host\u0026rsquo;s root filesystem within the container using the \u003ccode\u003emount\u003c/code\u003e command, often targeting \u003ccode\u003e/dev/sd*\u003c/code\u003e devices. This requires sufficient privileges within the container, or the exploitation of a container escape vulnerability to gain such privileges.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emount\u003c/code\u003e command is executed with arguments specifying the device to mount and the mount point within the container\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes the \u003ccode\u003echroot\u003c/code\u003e command, changing the root directory of the current process to the mounted host\u0026rsquo;s root filesystem.\u003c/li\u003e\n\u003cli\u003eAfter successfully executing \u003ccode\u003echroot\u003c/code\u003e, the attacker\u0026rsquo;s perspective shifts to the host\u0026rsquo;s file system, allowing them to access and modify sensitive files and configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their newly acquired access to install backdoors, create new user accounts with elevated privileges, or modify system configurations to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to move laterally to other containers or systems within the network, leveraging their compromised position on the host.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain complete control over the host system and potentially the entire infrastructure, leading to data exfiltration, system disruption, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful container escape can have severe consequences, potentially leading to complete compromise of the host system and the data it contains. Depending on the environment, this could affect a single server or spread to many hosts. The compromise of containerized environments can lead to data breaches, service disruption, and reputational damage. Given the sensitive nature of data often processed within containers, the impact can range from financial losses to regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential container escapes.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect process data, and ensure Session View data is enabled to enhance visibility as mentioned in the setup guide.\u003c/li\u003e\n\u003cli\u003eReview and harden container configurations to minimize privileges granted to containerized processes, reducing the attack surface for escape attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential for lateral movement following a successful container escape.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for unusual mount and chroot command sequences within container environments using Elastic Defend, SentinelOne, and Crowdstrike logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:45:21Z","date_published":"2026-05-02T12:45:21Z","id":"/briefs/2024-01-chroot-container-escape/","summary":"The rule detects a potential chroot container escape via mount, which involves a user within a container mounting the host's root file system and using chroot to escape the containerized environment, indicating a privilege escalation attempt.","title":"Potential Chroot Container Escape via Mount","url":"https://feed.craftedsignal.io/briefs/2024-01-chroot-container-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","spn-spoofing","dns","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies a specific pattern in DNS queries indicative of Kerberos SPN spoofing, a technique used to coerce systems into authenticating to attacker-controlled hosts. The pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; represents a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers exploit this by crafting malicious DNS names to trick victim systems into requesting Kerberos tickets for legitimate services, often their own identity, but directed towards an attacker-controlled endpoint. This can lead to Kerberos relay or NTLM reflection/relay attacks, bypassing normal NTLM fallback mechanisms. The technique is associated with tools like RemoteKrbRelay and wspcoerce. This activity has been observed in various attacks targeting Windows environments where Kerberos authentication is prevalent. Defenders need to detect and mitigate this early stage of credential access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target Windows system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious server to receive coerced authentication requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DNS query containing a base64-encoded blob \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; representing a marshaled CREDENTIAL_TARGET_INFORMATION structure.\u003c/li\u003e\n\u003cli\u003eThe victim system, triggered by an external factor (e.g., RPC call, scheduled task, or web request), attempts to resolve the crafted DNS name.\u003c/li\u003e\n\u003cli\u003eThe malicious DNS query is sent to the DNS server, which resolves to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe victim system initiates a Kerberos authentication request to the attacker\u0026rsquo;s server, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server relays the Kerberos ticket or uses NTLM reflection/relay techniques to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the victim system or pivots to other systems within the network using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to credential compromise, lateral movement, and domain takeover. Victims in Active Directory environments are particularly vulnerable. The impact includes unauthorized access to sensitive data, disruption of services, and potential ransomware deployment. If the coerced service has high privileges, the attacker can gain complete control over the compromised system or even the entire domain. Organizations using Kerberos authentication are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Kerberos SPN Spoofing via Suspicious DNS Query\u0026rdquo; rule to your SIEM and tune for your environment to detect malicious DNS queries.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 - DNS Query logging to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any DNS queries resolving to external IPs that contain the \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; pattern.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes initiating DNS queries containing the suspicious pattern, specifically looking for known coercion tools.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of lateral movement if a system is compromised.\u003c/li\u003e\n\u003cli\u003eReview and harden Kerberos configurations to prevent SPN spoofing and relay attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T17:31:25Z","date_published":"2026-05-01T17:31:25Z","id":"/briefs/2024-10-kerberos-spn-spoofing-dns/","summary":"Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.","title":"Potential Kerberos SPN Spoofing via Suspicious DNS Query","url":"https://feed.craftedsignal.io/briefs/2024-10-kerberos-spn-spoofing-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Windows Defender Application Control","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["wdac","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Defender Application Control (WDAC) to disable or weaken endpoint defenses. By crafting malicious WDAC policies, adversaries can block legitimate security software and evade detection. This technique involves creating WDAC policy files (.p7b or .cip) in protected system directories using unauthorized processes. The activity often occurs when attackers have already gained a foothold in the system and are attempting to solidify their position. Successful deployment of a malicious WDAC policy can significantly hinder incident response and allow malware to operate undetected. This tactic has gained traction since late 2024, with offensive tools like Krueger demonstrating the potential for weaponizing WDAC against EDR solutions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative access, which is required to modify WDAC policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Creation:\u003c/strong\u003e The attacker crafts a malicious WDAC policy using tools or scripts. This policy is designed to block specific security products or processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The malicious policy is staged in a temporary location on the system, often within user-writable directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Placement:\u003c/strong\u003e The attacker moves the malicious WDAC policy file (.p7b or .cip) to a protected system directory, such as \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e or \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e. The tool used may be a Living-off-the-Land Binary (LOLBin) or a custom .NET assembly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivation:\u003c/strong\u003e The attacker triggers the activation of the new WDAC policy, which often requires a system reboot or the use of a service control utility.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Once the policy is active, the targeted security products are blocked, allowing the attacker to operate with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Objectives:\u003c/strong\u003e With defenses weakened, the attacker can move laterally within the network, exfiltrate data, or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting WDAC can severely impair an organization\u0026rsquo;s ability to detect and respond to threats. By blocking security software, attackers can operate with impunity, leading to data breaches, financial losses, and reputational damage. Observed damage includes disabled endpoint detection and response (EDR) solutions, allowing ransomware and other malware to execute without interference. The scope of impact can range from individual workstations to entire domains, depending on the breadth of the WDAC policy deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;WDAC Policy File by an Unusual Process\u0026rdquo; Sigma rule to your SIEM to detect unauthorized WDAC policy modifications.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events with extensions .p7b and .cip in \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e directories, specifically filtering for processes other than \u003ccode\u003epoqexec.exe\u003c/code\u003e, \u003ccode\u003eTiWorker.exe\u003c/code\u003e, and \u003ccode\u003eomadmclient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture file creation events and provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on WDAC policy directories to prevent unauthorized modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-wdac-policy-evasion/","summary":"Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.","title":"WDAC Policy File Creation by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-11-wdac-policy-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","wbadmin","ntds.dit"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the execution of \u003ccode\u003ewbadmin.exe\u003c/code\u003e with arguments indicative of an attempt to access and dump the NTDS.dit file from a Windows domain controller. Attackers with sufficient privileges, specifically those belonging to groups like Backup Operators, can abuse the legitimate \u003ccode\u003ewbadmin.exe\u003c/code\u003e utility to create a backup of the Active Directory database (NTDS.dit). This file contains sensitive credential information, and once obtained, attackers can extract password hashes and compromise the entire domain. This activity is often part of a larger attack aimed at gaining persistent access and control over the network. The Elastic detection rule was published on 2024-06-05 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target network. This may be achieved through phishing, exploiting vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain membership in the Backup Operators group or a similar privileged group capable of running backups.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003erecovery\u003c/code\u003e argument, targeting the NTDS.dit file. The command line includes parameters to create a system state backup.\u003c/li\u003e\n\u003cli\u003eWbadmin creates a backup of the system state, including the NTDS.dit file, in a specified location.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the NTDS.dit file from the backup location to a separate location for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003entdsutil.exe\u003c/code\u003e or \u003ccode\u003esecretsdump.py\u003c/code\u003e to extract password hashes from the NTDS.dit file.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the password hashes or uses them in pass-the-hash attacks to gain access to other systems and resources within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves domain dominance and persistence, allowing them to control critical systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to dump credentials from the NTDS.dit file, leading to complete compromise of the Active Directory domain. This enables them to move laterally, access sensitive data, and establish persistent control over the environment. The impact can include data breaches, ransomware deployment, and long-term disruption of business operations. The medium risk score indicates that while the attack requires specific privileges, the consequences are significant if successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution as described in the Attack Chain (Data Source: Windows Security Event Logs, Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution with NTDS.dit related arguments in your SIEM (Rule: NTDS Dump via Wbadmin).\u003c/li\u003e\n\u003cli\u003eMonitor and restrict membership in privileged groups like Backup Operators to minimize the risk of abuse (Reference: \u003ca href=\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\"\u003ehttps://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate backup schedules or disaster recovery processes to reduce false positives (False positive analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-ntds-dump-wbadmin/","summary":"Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.","title":"NTDS Dump via Wbadmin","url":"https://feed.craftedsignal.io/briefs/2024-07-ntds-dump-wbadmin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Management Console File","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may exploit Microsoft Management Console (MMC) by executing .msc files from non-standard directories to bypass security controls. This technique can be used for initial access and execution. This detection focuses on identifying the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from paths outside the typical system directories, which are generally considered trusted. By monitoring process executions and filtering out known legitimate paths, analysts can identify potentially malicious activity related to the misuse of MMC. The rule aims to detect deviations from standard administrative practices that could indicate unauthorized access or command execution via malicious or compromised \u003ccode\u003e.msc\u003c/code\u003e files. The detection logic specifically excludes executions from common directories like \u003ccode\u003eSystem32\u003c/code\u003e, \u003ccode\u003eSysWOW64\u003c/code\u003e, and \u003ccode\u003eProgram Files\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious \u003ccode\u003e.msc\u003c/code\u003e file in an unusual or untrusted directory (e.g., \u003ccode\u003eC:\\Users\\Public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emmc.exe\u003c/code\u003e with the malicious \u003ccode\u003e.msc\u003c/code\u003e file as an argument from the untrusted path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emmc.exe\u003c/code\u003e processes the \u003ccode\u003e.msc\u003c/code\u003e file, potentially executing embedded commands or scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.msc\u003c/code\u003e file performs unauthorized actions on the system, such as modifying system settings or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the execution context of \u003ccode\u003emmc.exe\u003c/code\u003e to bypass security controls and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating a scheduled task or modifying registry keys to execute the malicious \u003ccode\u003e.msc\u003c/code\u003e file automatically.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access, command execution, and privilege escalation, potentially compromising the entire system. While specific victim counts or sector targeting are not available, the technique is applicable across various Windows environments. The use of a trusted system binary like \u003ccode\u003emmc.exe\u003c/code\u003e for malicious purposes can evade traditional security measures, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eMicrosoft Management Console File from Unusual Path\u003c/code\u003e to detect the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from untrusted paths.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the origin and content of the \u003ccode\u003e.msc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of \u003ccode\u003e.msc\u003c/code\u003e files to authorized directories only.\u003c/li\u003e\n\u003cli\u003eReview and audit the use of MMC in the environment to identify any legitimate use cases that might trigger false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-mmc-untrusted-path/","summary":"Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.","title":"Microsoft Management Console File Execution from Unusual Path","url":"https://feed.craftedsignal.io/briefs/2024-07-mmc-untrusted-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Endgame","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe DNS Global Query Block List (GQBL) is a Windows security feature designed to prevent the resolution of specific DNS names, commonly exploited in attacks like WPAD spoofing. Attackers who have obtained elevated privileges, such as DNSAdmin, can modify or disable this list to bypass security controls. This allows exploitation of hosts running WPAD with default settings. The modification of the GQBL can be used for privilege escalation and lateral movement within a network. This rule detects changes to the registry values associated with the GQBL, specifically \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; and \u0026ldquo;GlobalQueryBlockList.\u0026rdquo; This activity could indicate an attacker attempting to weaken defenses to facilitate further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain DNSAdmin rights.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; registry value to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000,\u0026rdquo; effectively disabling the GQBL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u0026ldquo;GlobalQueryBlockList\u0026rdquo; registry value to remove \u0026ldquo;wpad\u0026rdquo; from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled GQBL to conduct WPAD spoofing attacks, redirecting network traffic to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker captures user credentials transmitted during WPAD authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or disabling of the DNS Global Query Block List can lead to WPAD spoofing attacks, credential theft, lateral movement, and ultimately, complete compromise of the network. Attackers can leverage this technique to gain unauthorized access to sensitive data or systems. The impact includes potential data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification of DNS Global Query Block List\u003c/code\u003e to your SIEM to detect unauthorized changes to the GQBL configuration.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary events for the Sigma rule to function (reference the logsource in the rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict DNSAdmin privileges to only necessary accounts to minimize the attack surface (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual DNS queries or WPAD-related activity, correlating with registry modification events (reference: Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eRegularly audit registry settings related to DNS configuration, including the GQBL, to identify unauthorized modifications (reference: Attack Chain steps 3 \u0026amp; 4).\u003c/li\u003e\n\u003cli\u003eUpdate security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List (reference: Impact section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-dns-gqbl-modified/","summary":"Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.","title":"DNS Global Query Block List Modified or Disabled","url":"https://feed.craftedsignal.io/briefs/2024-07-dns-gqbl-modified/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eNetwork Level Authentication (NLA) is a security feature in Windows that requires users to authenticate before establishing a full RDP session, adding an extra layer of protection against unauthorized access. Attackers might attempt to disable NLA to gain access to the Windows sign-in screen without proper authentication. This tactic can facilitate the deployment of persistence mechanisms, such as leveraging Accessibility Features like Sticky Keys, or enable unauthorized remote access. This brief addresses the registry modifications associated with disabling NLA and provides detection strategies to identify such attempts. The references indicate that this technique is used in conjunction with other attacks for lateral movement within a compromised network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system is gained (potentially via compromised credentials or vulnerability exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to modify system-level settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\u003c/code\u003e to disable NLA.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUserAuthentication\u003c/code\u003e value is set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish an RDP connection to the compromised system.\u003c/li\u003e\n\u003cli\u003eDue to the disabled NLA, the attacker bypasses the initial authentication screen.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages accessibility features (e.g., Sticky Keys) for persistence or further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of NLA allows attackers to bypass authentication and gain unauthorized access to systems via RDP. This can lead to data theft, malware installation, or further lateral movement within the network. While the exact number of victims and sectors targeted are unspecified, the potential impact includes significant data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation and registry event logging to detect the registry modifications (Elastic Defend, Elastic Endgame, Microsoft Defender XDR, SentinelOne, Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to modify the \u003ccode\u003eUserAuthentication\u003c/code\u003e registry key (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eReview and harden RDP configurations across the environment to prevent unauthorized access (Microsoft documentation).\u003c/li\u003e\n\u003cli\u003eMonitor endpoint security policies to detect unauthorized registry modifications (Endpoint Security Policies).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-disable-nla/","summary":"Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.","title":"Network-Level Authentication (NLA) Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-nla/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["high"],"_cs_tags":["credential-access","netsh","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often target wireless credentials to gain unauthorized network access. This involves using the legitimate Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to extract Wi-Fi passwords stored on a compromised system. By leveraging \u003ccode\u003enetsh\u003c/code\u003e, attackers can bypass traditional security measures and retrieve sensitive information without deploying custom malware. The technique involves specific command-line arguments that instruct \u003ccode\u003enetsh\u003c/code\u003e to display wireless keys in cleartext, exposing the network passwords. Defenders must monitor \u003ccode\u003enetsh\u003c/code\u003e command-line activity to identify potential credential access attempts. This activity can lead to lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to list available wireless profiles.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target wireless profile from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e again, this time specifying the target profile and requesting the key to be displayed in cleartext using the \u003ccode\u003ekey=clear\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNetsh.exe\u003c/code\u003e retrieves the Wi-Fi password from the Windows Wireless LAN service.\u003c/li\u003e\n\u003cli\u003eThe password is displayed in the command output, which the attacker captures.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained Wi-Fi password to connect to the wireless network.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform lateral movement and access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential dumping allows attackers to gain unauthorized access to wireless networks. This can lead to lateral movement within the organization\u0026rsquo;s network, access to sensitive data, and further compromise of systems and resources. The impact includes potential data breaches, financial losses, and reputational damage. This technique allows attackers to bypass traditional network access controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Wireless Credential Dumping via Netsh\u003c/code\u003e to identify suspicious \u003ccode\u003enetsh.exe\u003c/code\u003e commands in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003enetsh.exe\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process lineage and user context as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies for Wi-Fi networks, including the use of WPA2 or WPA3 encryption.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e on systems where it is not required, using application control solutions.\u003c/li\u003e\n\u003cli\u003eMonitor for related alerts indicating lateral movement, staging, remote access, or persistence, as mentioned in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wireless-creds-dumping/","summary":"Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.","title":"Wireless Credential Dumping via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wireless-creds-dumping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can try to cover their tracks by clearing the PowerShell console history on Windows systems. PowerShell offers multiple ways to log commands, including the built-in history and the command history managed by the PSReadLine module. This activity is often part of post-compromise behavior aimed at evading detection and forensic analysis. This rule detects the execution of specific commands that clear the built-in PowerShell logs or delete the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file. The rule focuses on PowerShell activity and covers scenarios where commands like Clear-History, Remove-Item, rm, and Set-PSReadlineOption are used to manipulate command history.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unspecified method, potentially exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to perform reconnaissance and other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to clear the PowerShell command history using the \u003ccode\u003eClear-History\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker attempts to remove the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file using \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e, which stores the PSReadLine command history.\u003c/li\u003e\n\u003cli\u003eAnother method involves using the \u003ccode\u003eSet-PSReadlineOption\u003c/code\u003e cmdlet with the \u003ccode\u003eSaveNothing\u003c/code\u003e parameter to prevent the saving of future command history.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage other tools and techniques to further obscure their activities and maintain persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network to increase their impact.\u003c/li\u003e\n\u003cli\u003eThe final objective is data exfiltration, deployment of ransomware, or other malicious activities, all while attempting to evade detection by clearing logs and command history.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of console history hinders forensic investigations and incident response efforts. If command history is cleared, administrators will have difficulty reconstructing the attacker\u0026rsquo;s actions and identifying the extent of the compromise. This can lead to prolonged incident response times, increased damage, and potential for further exploitation of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Clearing PowerShell History\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003eClear-History\u003c/code\u003e cmdlet, potentially indicating an attempt to remove command history.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Removal of PowerShell History File\u003c/code\u003e to detect the use of \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e command against the PowerShell history file.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and auditing policies to ensure adequate visibility into PowerShell activity as described in the \u003ca href=\"https://ela.st/audit-process-creation\"\u003esetup instructions\u003c/a\u003e to improve detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-clearing-console-history/","summary":"Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.","title":"Windows Console History Clearing","url":"https://feed.craftedsignal.io/briefs/2024-01-30-clearing-console-history/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers often attempt to modify file or directory ownership to bypass access controls and gain unauthorized access to sensitive data or system resources. This involves altering permissions associated with critical files or directories, granting broader access to accounts under attacker control or resetting permissions to default values which might be more permissive. This defense evasion technique can be used to establish persistence, escalate privileges, or exfiltrate data without triggering standard security alerts. The common tools used include \u003ccode\u003eicacls.exe\u003c/code\u003e and \u003ccode\u003etakeown.exe\u003c/code\u003e, typically targeting files within the \u003ccode\u003eC:\\Windows\\\u003c/code\u003e directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an existing compromised account or vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003etakeown.exe /f \u0026lt;file\u0026gt;\u003c/code\u003e to take ownership of a target file or directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eicacls.exe \u0026lt;file\u0026gt; /reset\u003c/code\u003e to reset the ACL of the file or directory.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses \u003ccode\u003eicacls.exe \u0026lt;file\u0026gt; /grant Everyone:F\u003c/code\u003e to grant full control to everyone, weakening security.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the contents of the file, such as injecting malicious code or configuration changes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified file for persistence, such as a modified system DLL loaded at boot.\u003c/li\u003e\n\u003cli\u003eThe system executes the malicious code when the compromised file is accessed or executed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as maintaining persistence, escalating privileges, or executing arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising file and directory permissions can lead to significant security breaches. Successful attacks can allow unauthorized access to sensitive data, system instability, or the execution of malicious code with elevated privileges. This can affect any Windows environment where file permissions are improperly managed, with potential for widespread system compromise and data exfiltration. The impact is most severe on systems containing sensitive data or critical infrastructure components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003eicacls.exe\u003c/code\u003e and \u003ccode\u003etakeown.exe\u003c/code\u003e with suspicious arguments targeting system files (e.g., \u003ccode\u003eC:\\Windows\\*\u003c/code\u003e) to detect potential permission modification attempts using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Windows Security Auditing for file system changes to capture events related to permission modifications and ownership changes.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment, specifically focusing on processes modifying permissions on files within the \u003ccode\u003eC:\\Windows\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process execution chain and the target files being modified.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-system-file-ownership-change/","summary":"Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files, often using icacls.exe or takeown.exe to reset permissions on system files.","title":"System File Ownership Change for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-system-file-ownership-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","windows","netsh","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e utility in Windows supports the addition of Helper DLLs to extend its functionality. An attacker can abuse this mechanism to establish persistence by adding a malicious DLL. When \u003ccode\u003enetsh.exe\u003c/code\u003e is executed, the malicious DLL is loaded and executed, allowing the attacker to run arbitrary code with the privileges of the user or process that initiated \u003ccode\u003enetsh.exe\u003c/code\u003e. This can be done by administrators or scheduled tasks, making it a stealthy and effective persistence technique. The registry key targeted by this technique is \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious DLL to be used as a Netsh Helper DLL.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the Windows Registry to add the malicious DLL as a Netsh Helper DLL under \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system administrator or a scheduled task executes \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e loads and executes the malicious DLL, granting the attacker code execution.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing a reverse shell or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the malicious Netsh Helper DLL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. While the risk score is low, the persistence mechanism can allow attackers to maintain a foothold for extended periods, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications under the \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e path for suspicious DLL additions using the \u0026ldquo;Netsh Helper DLL Registry Modification\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the DLL file properties, timestamps, and related processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-netsh-helper-dll/","summary":"Attackers may abuse the Netsh Helper DLL functionality by adding malicious DLLs to execute payloads every time the netsh utility is executed via administrators or scheduled tasks, achieving persistence.","title":"Netsh Helper DLL Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-helper-dll/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","vaultcmd"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may abuse the Windows Credential Manager to list or dump credentials stored within. This allows for the exfiltration of saved usernames and passwords. The tool vaultcmd.exe can be used to interact with the Credential Manager and list the stored credentials. This activity is often performed in preparation for lateral movement within a compromised network. This detection focuses on identifying instances where vaultcmd.exe is executed with the \u003ccode\u003e/list*\u003c/code\u003e argument, indicating an attempt to enumerate stored credentials. The detection rule is designed to identify abuse of vaultcmd for credential access, enabling defenders to detect unauthorized credential access activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003evaultcmd.exe\u003c/code\u003e with the \u003ccode\u003e/list\u003c/code\u003e argument to enumerate the credentials stored in the Windows Credential Manager.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evaultcmd.exe\u003c/code\u003e process accesses the Credential Manager to retrieve the list of saved credentials.\u003c/li\u003e\n\u003cli\u003eThe output of \u003ccode\u003evaultcmd.exe\u003c/code\u003e (the list of credentials) is captured or redirected to a file for later exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output to identify valuable credentials, such as domain administrator accounts or service accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired credentials to authenticate to other systems on the network (lateral movement).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges on the target systems.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack chain can lead to unauthorized access to sensitive resources, lateral movement within the network, and ultimately, data theft, system compromise, or ransomware deployment. A compromised user account can grant the attacker access to internal systems, confidential data, and critical infrastructure. If the attacker gains domain administrator credentials, they can compromise the entire Windows domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003evaultcmd.exe\u003c/code\u003e being executed with the \u003ccode\u003e/list*\u003c/code\u003e argument (Data Source: Windows Security Event Logs, Sysmon, Microsoft Defender XDR, SentinelOne, Crowdstrike).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect VaultCmd Credential Listing\u0026rdquo; to your SIEM to identify potential credential access attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003evaultcmd.exe\u003c/code\u003e being executed with the \u003ccode\u003e/list*\u003c/code\u003e argument to determine the legitimacy of the activity.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-vaultcmd-credential-access/","summary":"Adversaries may use vaultcmd.exe to list credentials stored in the Windows Credential Manager to gain unauthorized access to saved usernames and passwords, potentially in preparation for lateral movement.","title":"VaultCmd Usage for Listing Windows Credentials","url":"https://feed.craftedsignal.io/briefs/2024-01-29-vaultcmd-credential-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Elastic Endgame","Sysmon Event ID 11 - File Create"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","managed code","lolbin"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies suspicious managed code hosting processes on Windows systems. Attackers may leverage processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003esvchost.exe\u003c/code\u003e, \u003ccode\u003edllhost.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, and \u003ccode\u003eregsvr32.exe\u003c/code\u003e to execute malicious code, often bypassing traditional security controls. These processes can be abused to load and execute .NET assemblies or other managed code components. The detection focuses on identifying unusual file creation events associated with these processes which could indicate an attacker is attempting to leverage these processes for malicious purposes. This activity might be indicative of code injection, defense evasion, or other suspicious code execution techniques. The rule uses EQL to search for file events associated with specific processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a phishing email or compromised software.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a LOLBin such as \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to bypass application control.\u003c/li\u003e\n\u003cli\u003eThe LOLBin executes a malicious script or loads a malicious DLL from a user-writable location.\u003c/li\u003e\n\u003cli\u003eThe malicious script or DLL performs reconnaissance activities, such as gathering system information or enumerating network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker then attempts to escalate privileges by exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised process to download and execute additional malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system through scheduled tasks or registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network, compromising additional systems and exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal sensitive data, and establish persistence. The use of LOLBins can bypass application control, making detection more challenging. Depending on the scope of the attack, this could result in significant financial losses, reputational damage, and disruption of business operations. This is a high-severity finding due to the potential for attackers to gain full control over affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to collect the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Managed Code Hosting Process\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the file paths, process command lines, and parent processes involved.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected file creation events associated with processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e in user-writable directories.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of LOLBins and other potentially malicious processes.\u003c/li\u003e\n\u003cli\u003eCorrelate the detection with other security events to identify related malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-suspicious-managedcode-hosting/","summary":"This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.","title":"Suspicious Managed Code Hosting Process","url":"https://feed.craftedsignal.io/briefs/2024-01-29-suspicious-managedcode-hosting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies processes executing from directories that masquerade as the legitimate Windows Program Files directories. Attackers may create directories with similar names (e.g., \u0026ldquo;C:\\Program Files Bad\u0026rdquo; or \u0026ldquo;C:\\Program Files(x86) Malicious\u0026rdquo;) to host and execute malicious executables, bypassing security measures that trust the standard Program Files locations. This technique is particularly effective when combined with low-privilege accounts, as it allows attackers to evade detections that whitelist only the standard, trusted Program Files paths. The timeframe for this rule is the last 9 months. This matters to defenders because it highlights a common tactic used to bypass established trust relationships within the Windows operating system, requiring more granular inspection of process execution paths.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new directory that mimics the \u0026ldquo;Program Files\u0026rdquo; or \u0026ldquo;Program Files (x86)\u0026rdquo; directory (e.g., \u0026ldquo;C:\\Program Files Bad\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker copies or downloads malicious executable files into the newly created masquerading directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious executable from the masquerading directory.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the executable and begins its execution, potentially bypassing any allowlisting rules that only check the standard \u0026ldquo;Program Files\u0026rdquo; locations.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, repeating the masquerading technique on other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware infection, data theft, or complete system compromise. The impact is significant, as it undermines the trust placed in the \u0026ldquo;Program Files\u0026rdquo; directory and allows attackers to operate undetected for extended periods. While no specific victim counts are given, the technique is broadly applicable to any Windows environment, especially those relying on simple path-based allowlisting for security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProgram Files Directory Masquerading Detection\u003c/code\u003e to your SIEM to detect suspicious process executions from masquerading directories.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly review and update allowlisting rules to include more specific criteria beyond just the \u0026ldquo;Program Files\u0026rdquo; directory, such as file hashes or digital signatures.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and user accounts associated with the suspicious executions.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in the root directory to detect suspicious folders being created (file_event category)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-program-files-masquerading/","summary":"Adversaries may masquerade malicious executables within directories mimicking the legitimate Windows Program Files directory to evade defenses and execute untrusted code.","title":"Program Files Directory Masquerading","url":"https://feed.craftedsignal.io/briefs/2024-01-program-files-masquerading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","msiexec","remote-install"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAdversaries may abuse Windows Installer (msiexec.exe) to perform remote installations of malicious payloads. This technique is used for initial access, defense evasion, and execution of arbitrary code. The detection rule identifies attempts to install a file from a remote server using MsiExec. The rule looks for msiexec.exe processes running with arguments such as \u003ccode\u003e-i\u003c/code\u003e, \u003ccode\u003e/i\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, or \u003ccode\u003e/p\u003c/code\u003e, indicative of remote installations, and executed from suspicious parent processes like \u003ccode\u003esihost.exe\u003c/code\u003e, \u003ccode\u003eexplorer.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewmiprvse.exe\u003c/code\u003e, \u003ccode\u003epcalua.exe\u003c/code\u003e, \u003ccode\u003eforfiles.exe\u003c/code\u003e, and \u003ccode\u003econhost.exe\u003c/code\u003e. The rule includes exceptions to reduce false positives from legitimate software installations, specifically excluding command lines containing \u003ccode\u003e--set-server\u003c/code\u003e, \u003ccode\u003eUPGRADEADD\u003c/code\u003e, \u003ccode\u003e--url\u003c/code\u003e, \u003ccode\u003eUSESERVERCONFIG\u003c/code\u003e, \u003ccode\u003eRCTENTERPRISESERVER\u003c/code\u003e, \u003ccode\u003eapp.ninjarmm.com\u003c/code\u003e, \u003ccode\u003ezoom.us/client\u003c/code\u003e, \u003ccode\u003eSUPPORTSERVERSTSURI\u003c/code\u003e, \u003ccode\u003eSTART_URL\u003c/code\u003e, \u003ccode\u003eAUTOCONFIG\u003c/code\u003e, \u003ccode\u003eawscli.amazonaws.com\u003c/code\u003e, \u003ccode\u003e*/i \\\u0026quot;C:*\u003c/code\u003e, and \u003ccode\u003e*/i C:\\\\*\u003c/code\u003e. This technique can lead to complete system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line interpreter (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to initiate the \u003ccode\u003emsiexec.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emsiexec.exe\u003c/code\u003e process is launched with arguments that specify a remote MSI package (\u003ccode\u003e-i\u003c/code\u003e, \u003ccode\u003e/i\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e/p\u003c/code\u003e) and enable silent installation (\u003ccode\u003e/qn\u003c/code\u003e, \u003ccode\u003e-qn\u003c/code\u003e, \u003ccode\u003e-q\u003c/code\u003e, \u003ccode\u003e/q\u003c/code\u003e, \u003ccode\u003e/quiet\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emsiexec.exe\u003c/code\u003e process downloads the MSI package from a remote server over HTTP or HTTPS.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e executes the downloaded MSI package, which may contain malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, potentially performing actions such as installing malware, establishing persistence, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further actions, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive data, or disrupt system operations. A compromised system can be used as a pivot point to access other systems on the network. The impact can range from data breaches and financial losses to reputational damage and disruption of critical services. The number of potential victims depends on the scope of the initial access and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious MsiExec invocations with remote payloads.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the required data is available for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process, command-line arguments, and network connections associated with the \u003ccode\u003emsiexec.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for child processes spawned by \u003ccode\u003emsiexec.exe\u003c/code\u003e for anomalous activity.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emsiexec.exe\u003c/code\u003e to authorized users and processes only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"/briefs/2024-01-29-msiexec-remote-payload/","summary":"This rule detects attempts to install a file from a remote server using MsiExec, which adversaries may abuse to deliver malware, by identifying msiexec.exe processes running with arguments indicative of remote installations and executed from suspicious parent processes.","title":"Potential Remote Install via MsiExec","url":"https://feed.craftedsignal.io/briefs/2024-01-29-msiexec-remote-payload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Elastic Endgame","Sysmon"],"_cs_severities":["low"],"_cs_tags":["privilege-escalation","unquoted-service-path","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eUnquoted service paths in Windows can be exploited to escalate privileges. When a service path lacks quotes, Windows may execute a malicious executable placed in a higher-level directory. This detection rule identifies suspicious processes starting from common unquoted paths, like \u0026ldquo;C:\\Program.exe\u0026rdquo; or executables within \u0026ldquo;C:\\Program Files (x86)\\\u0026rdquo; or \u0026ldquo;C:\\Program Files\\\u0026rdquo;, signaling potential exploitation attempts. The rule aims to detect early stages of privilege escalation threats. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, Windows Security Event Logs, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a service running with an unquoted path, such as \u0026ldquo;C:\\Program Files\\Unquoted Path Service\\Common\\Service.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious executable named \u0026ldquo;Program.exe\u0026rdquo; in \u0026ldquo;C:\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to start the service \u0026ldquo;C:\\Program Files\\Unquoted Path Service\\Common\\Service.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDue to the unquoted path, the OS incorrectly parses the path and first attempts to execute \u0026ldquo;C:\\Program.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe malicious \u0026ldquo;Program.exe\u0026rdquo; executes with the privileges of the service account.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs actions to escalate privileges, such as adding a user to the local administrators group.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of an unquoted service path vulnerability can lead to complete system compromise, as the attacker gains the privileges of the service account. This can allow the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. The impact is high, potentially leading to a loss of confidentiality, integrity, and availability of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview process executable paths to confirm if they match the patterns specified in the rule query, such as \u0026ldquo;?:\\Program.exe\u0026rdquo; or executables within \u0026ldquo;C:\\Program Files (x86)\\\u0026rdquo; or \u0026ldquo;C:\\Program Files\\\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Exploitation of an Unquoted Service Path Vulnerability\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging with Event ID 1 to activate the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eConduct a thorough review of service configurations to identify and correct any unquoted service paths as part of remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"/briefs/2024-01-29-unquoted-service-path/","summary":"This rule detects potential exploitation of unquoted service path vulnerabilities, where adversaries may escalate privileges by placing a malicious executable in a higher-level directory within the path of an unquoted service executable.","title":"Potential Exploitation of an Unquoted Service Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-unquoted-service-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon Event ID 1 - Process Creation","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lolbin","command-and-control","exfiltration","certreq"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Certreq.exe with the \u003ccode\u003e-Post\u003c/code\u003e argument to initiate an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe Certreq process attempts to connect to a remote server to send or receive data.\u003c/li\u003e\n\u003cli\u003eThe remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk (if applicable).\u003c/li\u003e\n\u003cli\u003eThe attacker may execute the downloaded file or further process the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to clean up the Certreq command from command history or logs to evade detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker\u0026rsquo;s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Certreq HTTP Post Request\u0026rdquo; to your SIEM to identify potential abuse of Certreq for file transfer.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Certreq.exe executing with the \u003ccode\u003e-Post\u003c/code\u003e argument, as this is not typical usage of the utility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T20:47:00Z","date_published":"2024-01-28T20:47:00Z","id":"/briefs/2024-01-certreq-post/","summary":"Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.","title":"Potential Abuse of Certreq for File Transfer via HTTP POST","url":"https://feed.craftedsignal.io/briefs/2024-01-certreq-post/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Endpoint Security","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can disable the Antimalware Scan Interface (AMSI) to evade detection by modifying the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key. This technique is commonly employed to execute malicious scripts without triggering security warnings or blocks. The AMSI, a Windows feature, allows applications and services to request the scanning of potentially malicious content (e.g., PowerShell scripts, JScript) before execution. By setting the \u003ccode\u003eAmsiEnable\u003c/code\u003e value to 0, an attacker can disable AMSI for the current user, effectively bypassing real-time script scanning. This action is often a precursor to deploying further malicious payloads or establishing persistence on a compromised system. This behavior has been observed since at least 2019 and continues to be a relevant defense evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or binary that attempts to modify the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe script or binary uses \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell, or another tool to set the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry value to 0. The registry key location is typically \u003ccode\u003eHKEY_USERS\\\u0026lt;SID\u0026gt;\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter successfully disabling AMSI, the attacker proceeds to execute malicious scripts or code. These scripts may use \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious scripts download and execute additional payloads, such as malware or remote access tools (RATs).\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network using the compromised system as a pivot.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence, ensuring continued access to the system even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key allows attackers to execute malicious scripts without triggering AMSI alerts, leading to potential malware infections, data breaches, and system compromise. Disabling AMSI significantly reduces the effectiveness of endpoint security solutions, making the system more vulnerable to attack. The impact can range from individual workstation compromise to widespread network infections, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Registry Events\u003c/code\u003e to your SIEM to detect modifications to the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes modifying registry keys, especially \u003ccode\u003ereg.exe\u003c/code\u003e and PowerShell, using the rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Process Creation\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly to determine if the activity is malicious or legitimate.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted scripts and binaries.\u003c/li\u003e\n\u003cli\u003eHarden systems by restricting user permissions to modify critical registry keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:23:00Z","date_published":"2024-01-27T18:23:00Z","id":"/briefs/2024-01-amsi-registry-disable/","summary":"Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.","title":"AMSI Enable Registry Key Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-registry-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe \u0026ldquo;Office Test\u0026rdquo; registry key, located under \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e, is a legitimate feature that allows specifying a DLL to be executed every time an MS Office application is started. Attackers can abuse this functionality by modifying the registry to point to a malicious DLL, achieving persistence on a compromised host. This allows for continued malicious activity even after a system restart or user logout. Elastic has published a rule to detect this behavior. The modification of this registry key, excluding deletions, is a strong indicator of potential abuse, and can be detected via endpoint detection and response (EDR) solutions as well as traditional Sysmon logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, often through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a foothold and escalates privileges to make necessary registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e registry key, adding a new entry or modifying an existing one to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious DLL is present on the system, either by dropping it directly or using existing system tools to download it.\u003c/li\u003e\n\u003cli\u003eA user launches a Microsoft Office application (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the DLL specified in the \u0026ldquo;Office Test\u0026rdquo; registry key during startup.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes its payload, which could include establishing a reverse shell, installing malware, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence, allowing them to regain access to the system each time an Office application is started.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to a compromised system. The injected DLL can be used to execute arbitrary code, potentially leading to data theft, malware installation, or further compromise of the network. The relatively low risk score suggests a common technique, but the potential for persistent access makes it a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect unauthorized modifications to the \u0026ldquo;Office Test\u0026rdquo; registry key (\u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Registry event logging to capture registry modifications and activate the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for Office applications to detect if a suspicious DLL has been loaded or executed, as described in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for similar registry modifications across the network, as described in the remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T17:30:00Z","date_published":"2024-01-27T17:30:00Z","id":"/briefs/2024-01-office-test-registry-persistence/","summary":"Attackers modify the Microsoft Office 'Office Test' Registry key to achieve persistence by specifying a malicious DLL that executes upon application startup.","title":"Microsoft Office 'Office Test' Registry Persistence Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-office-test-registry-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","group_policy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers may leverage the \u003ccode\u003egpresult.exe\u003c/code\u003e utility, a built-in Windows tool, to gather information about Group Policy Objects (GPOs) within an Active Directory environment. This reconnaissance activity allows adversaries to understand the existing security policies, identify potential misconfigurations, and discover pathways for privilege escalation or lateral movement. The rule focuses on detecting the execution of \u003ccode\u003egpresult.exe\u003c/code\u003e with specific command-line arguments (\u003ccode\u003e/z\u003c/code\u003e, \u003ccode\u003e/v\u003c/code\u003e, \u003ccode\u003e/r\u003c/code\u003e, \u003ccode\u003e/x\u003c/code\u003e) commonly associated with malicious reconnaissance. This behavior is typically observed after an initial compromise, where the attacker is attempting to map out the network and identify valuable targets. This activity matters for defenders as it provides an early indicator of post-compromise activity and can help prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003egpresult.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe attacker uses command-line arguments such as \u003ccode\u003e/z\u003c/code\u003e, \u003ccode\u003e/v\u003c/code\u003e, \u003ccode\u003e/r\u003c/code\u003e, or \u003ccode\u003e/x\u003c/code\u003e to request detailed information about Group Policy settings.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egpresult.exe\u003c/code\u003e queries the Active Directory domain to retrieve GPO information applicable to the user or computer.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003egpresult.exe\u003c/code\u003e to identify security policies, user rights assignments, and other relevant configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential weaknesses in the GPO configuration, such as overly permissive user rights or insecure password policies.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to exploit identified weaknesses and escalate privileges or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a comprehensive understanding of the target environment\u0026rsquo;s security posture, enabling attackers to identify and exploit weaknesses for privilege escalation and lateral movement. While the source does not specify a number of victims or sectors targeted, the impact of a successful attack can range from data breaches and financial losses to reputational damage and disruption of operations. The discovery of misconfigured group policies can open doors for attackers to compromise critical systems and data within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Group Policy Discovery via GPResult\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003egpresult.exe\u003c/code\u003e with suspicious parameters.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture command-line arguments used with \u003ccode\u003egpresult.exe\u003c/code\u003e and other executables.\u003c/li\u003e\n\u003cli\u003eReview and harden Group Policy configurations to minimize the risk of exploitation by attackers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Group Policy Discovery via GPResult\u0026rdquo; to determine the context and intent of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-gpresult-discovery/","summary":"Detects the execution of `gpresult.exe` with arguments `/z`, `/v`, `/r`, or `/x` on Windows systems, which attackers may use during reconnaissance to enumerate Group Policy Objects and identify opportunities for privilege escalation or lateral movement.","title":"Group Policy Discovery via Microsoft GPResult Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-gpresult-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies anomalous creation or modification of executable files by critical Windows system processes, like \u003ccode\u003esmss.exe\u003c/code\u003e, \u003ccode\u003ecsrss.exe\u003c/code\u003e, and \u003ccode\u003elsass.exe\u003c/code\u003e. Attackers may attempt to leverage these processes to evade detection, and the rule is designed to detect such activities. The rule leverages data from Elastic Defend, Microsoft Defender XDR, SentinelOne, CrowdStrike, and Sysmon. It provides investigation steps to help analysts triage and analyze potential incidents, focusing on the identity of the writing process, its lineage, and the characteristics of the written file. This rule is designed to detect potential remote code execution or other forms of exploitation targeting Windows systems. The rule logic excludes specific legitimate file paths to minimize false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a system critical process to create or modify an executable file.\u003c/li\u003e\n\u003cli\u003eThe created/modified file may be a backdoor, malware component, or a tool for further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the created executable to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created executable to perform lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution with elevated privileges. The number of victims is dependent on the scope of the initial compromise. The targeted sectors include any organization running vulnerable Windows systems. If the attack succeeds, the adversary can gain full control over the system, leading to data theft, system disruption, or further propagation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Unusual Executable File Creation by a System Critical Process\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to enhance detection capabilities (see setup instructions in the rule source).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the writing process\u0026rsquo;s identity, lineage, and the characteristics of the written file as detailed in the rule\u0026rsquo;s triage and analysis section.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with other endpoint and network activity to identify the scope of the potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-unusual-executable-file-creation/","summary":"The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.","title":"Unusual Executable File Creation by a System Critical Process","url":"https://feed.craftedsignal.io/briefs/2024-01-25-unusual-executable-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["execution","windows","scripting","archive"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers commonly use archive files (ZIP, RAR, 7z) to deliver malicious scripts, such as JScript and VBScript, to Windows systems. This technique allows them to bypass some initial security checks and deliver payloads that can execute arbitrary code. The \u0026ldquo;Windows Script Execution from Archive\u0026rdquo; detection identifies instances where Windows Script Host (wscript.exe) is launched from temporary directories containing extracted archive contents. This activity can indicate a user has opened a malicious archive, leading to potential malware execution. This detection focuses on the parent-child process relationship, where explorer.exe, winrar.exe, or 7zFM.exe spawns wscript.exe to execute scripts from the temp directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious archive file (e.g., ZIP, RAR, 7z) via email or downloads it from a website.\u003c/li\u003e\n\u003cli\u003eThe user opens the archive file using a file archiver tool like Explorer, WinRAR, or 7-Zip.\u003c/li\u003e\n\u003cli\u003eThe archiver extracts the contents, including a malicious JScript (.js) or VBScript (.vbs) file, to a temporary directory, such as \u003ccode\u003e\\Users\\*\\AppData\\Local\\Temp\\7z*\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user (or the archiver tool) inadvertently executes the extracted script using Windows Script Host (wscript.exe).\u003c/li\u003e\n\u003cli\u003eWscript.exe executes the malicious script, which may perform a variety of actions, such as downloading and executing additional payloads.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence via registry modification, adding a run key to execute upon system startup.\u003c/li\u003e\n\u003cli\u003eThe script connects to a command-and-control server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised system and begins lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can lead to arbitrary code execution on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. While the number of affected organizations is not specified, the technique is broadly applicable to any Windows environment where users handle archive files, potentially affecting numerous individuals and organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of wscript.exe and its arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Script Execution from Archive\u0026rdquo; to your SIEM to identify suspicious script execution patterns.\u003c/li\u003e\n\u003cli\u003eMonitor process activity for wscript.exe and other scripting engines executing from temporary directories.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint security solutions to block execution of scripts from common temporary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-script-exec-archive/","summary":"This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.","title":"Windows Script Execution from Archive File","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-archive/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endgame","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","registry-dump","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to export registry hives containing sensitive credential information using the Windows \u003ccode\u003ereg.exe\u003c/code\u003e utility. Attackers may target the \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e hives to extract stored credentials, including password hashes and LSA secrets. The activity is often part of a broader credential access campaign. The rule focuses on detecting the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with specific arguments indicating an attempt to save or export these critical registry hives. The use of \u003ccode\u003ereg.exe\u003c/code\u003e makes this technique accessible to various threat actors, including ransomware groups and nation-state actors. Defenders need to monitor for this activity to prevent unauthorized credential access and potential lateral movement within the network. This rule specifically looks for \u0026ldquo;save\u0026rdquo; and \u0026ldquo;export\u0026rdquo; arguments targeting SAM and SECURITY hives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ereg.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereg.exe\u003c/code\u003e command includes arguments to save or export registry hives.\u003c/li\u003e\n\u003cli\u003eThe target registry hives are \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e, containing sensitive credential information.\u003c/li\u003e\n\u003cli\u003eThe exported registry hive is saved to a file on disk or a network share.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress or encrypt the exported registry hive to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported registry hive for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credential information from the registry hive, such as password hashes and LSA secrets, to use in lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to acquire sensitive credentials stored within the registry. This can lead to lateral movement within the network, privilege escalation, and ultimately, data exfiltration or system compromise. Compromised credentials can be used to access critical systems and data, causing significant damage to the organization. The impact is considered high due to the potential for widespread access and control over the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation auditing with command line arguments to capture the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with relevant arguments. (\u003ca href=\"https://ela.st/audit-process-creation\"\u003eData Source: Windows Security Event Logs, Sysmon\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Registry Hive Export via Reg.exe\u003c/code\u003e to your SIEM to detect the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with arguments indicative of registry hive dumping.\u003c/li\u003e\n\u003cli\u003eImplement access controls and monitor file system activity to detect unauthorized access or modification of registry hive files.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003ereg.exe\u003c/code\u003e to authorized personnel and processes.\u003c/li\u003e\n\u003cli\u003eMonitor for parent processes of \u003ccode\u003ereg.exe\u003c/code\u003e that are unusual or unexpected, which might indicate malicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the process command line, parent process, and destination of the exported registry hive.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-registry-hive-dump/","summary":"Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.","title":"Credential Acquisition via Registry Hive Dumping","url":"https://feed.craftedsignal.io/briefs/2024-01-24-registry-hive-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-sandbox","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may abuse the Windows Sandbox feature to evade detection by running malicious code within the isolated environment. This involves configuring the sandbox with sensitive options such as granting write access to the host file system, enabling network connections, and setting up automatic command execution via logon. By running within the sandbox with these configurations, malware can potentially interact with the host system, while making detection more difficult. This technique is used for defense evasion, hiding artifacts, and executing malicious activities within a virtualized environment to avoid direct exposure on the host. The rule identifies the start of a new container with sensitive configurations like write access to the host file system, network connection and automatic execution via logon command.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages Windows Sandbox by executing \u003ccode\u003ewsb.exe\u003c/code\u003e or \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the sandbox to enable networking using \u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker grants the sandbox write access to the host file system using \u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a logon command to automatically execute malicious code when the sandbox starts using \u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe sandbox initializes and executes the configured logon command.\u003c/li\u003e\n\u003cli\u003eThe malicious code interacts with the host file system and network, performing actions such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying ransomware or stealing sensitive information, while operating from within the isolated sandbox environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using Windows Sandbox abuse can lead to a range of negative impacts. Attackers may gain unauthorized access to sensitive data, compromise system integrity, or disrupt business operations. The use of the sandbox environment helps to conceal malicious activity, making detection and remediation more challenging. The damage can include data breaches, financial losses, reputational damage, and regulatory penalties. Successful exploitation allows malware to interact with the host system, potentially affecting multiple systems on the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Windows Sandbox with Sensitive Configuration\u0026rdquo; detection rule to your SIEM to identify potential sandbox abuse attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable networking (\u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable write access to the host file system (\u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that define logon commands (\u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-10T12:00:00Z","date_published":"2024-01-10T12:00:00Z","id":"/briefs/2024-01-windows-sandbox-abuse/","summary":"This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.","title":"Windows Sandbox Abuse with Sensitive Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-sandbox-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Build Engine","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","msbuild","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform commonly used by Windows developers. When MSBuild is started by an Office application like Word or Excel, it deviates from typical usage patterns. This behavior can be indicative of a malicious document executing a script payload as part of a defense evasion tactic. Attackers may leverage MSBuild to execute code or perform actions that would otherwise be blocked or detected. This activity is particularly concerning because it can bypass traditional security measures that focus on blocking suspicious executables or scripts directly launched by Office applications. The rule was created in March 2020, and last updated in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious Office document (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office document contains an embedded macro or exploit that triggers the execution of MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe is launched as a child process of the Office application (e.g., winword.exe, excel.exe, powerpnt.exe).\u003c/li\u003e\n\u003cli\u003eMSBuild executes a project file or inline task specified in the command line. This can involve compiling code, executing scripts, or performing other actions.\u003c/li\u003e\n\u003cli\u003eThe executed code or script performs malicious activities, such as downloading additional payloads, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild may spawn child processes, such as cmd.exe, powershell.exe, or other utilities, to further execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, installing malware, or gaining unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. Since MSBuild is a legitimate Microsoft tool, its use by malicious actors can make detection more challenging. The impact is high because it leverages a trusted process to carry out malicious activities, evading standard security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by an Office Application\u0026rdquo; to your SIEM to detect this specific behavior based on process creation events.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with the appropriate configuration to capture the necessary process start events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments of MSBuild.exe and the parent process information, including the executable name and command line.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for MSBuild.exe with parent processes being Office applications as a high priority indicator of potential compromise.\u003c/li\u003e\n\u003cli\u003eReview and harden Office macro settings to prevent execution of malicious macros.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:22:00Z","date_published":"2024-01-09T18:22:00Z","id":"/briefs/2024-01-msbuild-office-app/","summary":"The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.","title":"Microsoft Build Engine Started by an Office Application","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-office-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["ntlm-relay","credential-access","windows","webdav"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to coerce local NTLM authentication over HTTP through WebDAV named-pipe paths, focusing on Print Spooler and SRVSVC. Attackers can exploit this vulnerability, often combined with tools like NTLMRelay2Self, PetitPotam, or modified versions of krbrelayx\u0026rsquo;s printerbug.py, to relay the obtained credentials and escalate their privileges within the network. This technique allows attackers to bypass traditional security measures by leveraging legitimate Windows protocols for malicious purposes. Successful exploitation can lead to domain dominance and unauthorized access to sensitive resources. This activity is often associated with post-exploitation activity following initial access via other means.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003erundll32.exe\u003c/code\u003e to load \u003ccode\u003edavclnt.dll\u003c/code\u003e using the \u003ccode\u003eDavSetCookie\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erundll32.exe\u003c/code\u003e process is invoked with arguments specifying a named pipe path over HTTP, such as \u003ccode\u003ehttp*/print/pipe/*\u003c/code\u003e, \u003ccode\u003ehttp*/pipe/spoolss\u003c/code\u003e, or \u003ccode\u003ehttp*/pipe/srvsvc\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system attempts to authenticate to the specified HTTP endpoint using NTLM.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the NTLM authentication request.\u003c/li\u003e\n\u003cli\u003eUsing a relay tool like NTLMRelay2Self or ntlmrelayx, the attacker relays the captured NTLM credentials to another service or machine.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the relayed credentials to escalate privileges or gain unauthorized access to network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to escalate privileges within the compromised system and potentially the entire domain. This can lead to unauthorized access to sensitive data, deployment of ransomware, or other destructive activities. The impact ranges from data breaches and financial losses to complete system compromise. Depending on the targeted accounts, the attacker may be able to achieve domain administrator privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Local NTLM Relay via HTTP\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003erundll32.exe\u003c/code\u003e with specific arguments indicative of NTLM relay attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes that load \u003ccode\u003edavclnt.dll\u003c/code\u003e to identify potential NTLM relay traffic.\u003c/li\u003e\n\u003cli\u003eInvestigate and block the usage of tools like NTLMRelay2Self, PetitPotam, and ntlmrelayx within the environment.\u003c/li\u003e\n\u003cli\u003eImplement mitigations for NTLM relay attacks, such as enabling Extended Protection for Authentication (EPA) and disabling NTLM where possible.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of WebClient service and Print Spooler service where not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-ntlm-relay-http/","summary":"Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.","title":"Potential Local NTLM Relay via HTTP","url":"https://feed.craftedsignal.io/briefs/2024-01-ntlm-relay-http/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Endgame","Kaspersky Security for Windows Server","Desktop Central Agent","SAP NW Setup"],"_cs_severities":["medium"],"_cs_tags":["persistence","app-compat","shim","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SAP","Kaspersky","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can exploit the Windows Application Compatibility Shim functionality to maintain persistence and execute arbitrary code within legitimate Windows processes. This is achieved by installing custom shim databases, which are designed to ensure older applications run smoothly on newer operating systems. By manipulating these databases, attackers can stealthily inject malicious code into trusted processes. The rule detects changes in specific registry paths associated with the installation of these databases, excluding known legitimate processes to minimize false positives. This technique allows for the execution of malicious code without directly modifying the target application\u0026rsquo;s executable, making it difficult to detect with traditional methods.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to create a new entry for a custom shim database. The registry path targeted is typically under \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker writes a malicious \u003ccode\u003e.sdb\u003c/code\u003e file containing the custom shim database to a location on disk.\u003c/li\u003e\n\u003cli\u003eThe registry entry created points to the malicious \u003ccode\u003e.sdb\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eWhen a targeted application is launched, Windows checks the AppCompatFlags registry keys.\u003c/li\u003e\n\u003cli\u003eThe system loads the malicious shim database specified in the registry.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the shim database is executed in the context of the targeted application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, as the malicious shim database is loaded every time the targeted application is run.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to the system, even after reboots or software updates. The injected code runs within the context of a legitimate process, which can evade detection by traditional security tools. This can lead to data theft, system compromise, or further malicious activities, such as lateral movement within the network. The use of application shimming for persistence affects systems running Windows and can impact organizations of any size or sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Custom Shim Database Installation\u003c/code\u003e to your SIEM to identify suspicious registry modifications related to application shimming.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes that are not in the exclusion list.\u003c/li\u003e\n\u003cli\u003eBlock or quarantine any identified malicious \u003ccode\u003e.sdb\u003c/code\u003e files to prevent further execution.\u003c/li\u003e\n\u003cli\u003eReview and update the exclusion list in the Sigma rule with any newly identified legitimate applications that use shim databases, reducing false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-app-compat-shim-persistence/","summary":"Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.","title":"Detection of Custom Shim Database Installation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-09-app-compat-shim-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","windows","diskcleanup","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e executables with specific arguments (\u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates a scheduled task to execute \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task is triggered, executing the specified executable with the supplied arguments.\u003c/li\u003e\n\u003cli\u003eThe executable, such as \u003ccode\u003ecleanmgr.exe\u003c/code\u003e, attempts to run Disk Cleanup.\u003c/li\u003e\n\u003cli\u003eIf the executable path is outside the standard locations (e.g., \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e), it indicates a potential hijack.\u003c/li\u003e\n\u003cli\u003eMalicious code is executed with elevated privileges due to the UAC bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup with Suspicious Path\u0026rdquo; to your SIEM and tune for your environment to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup and Taskhostw\u0026rdquo; to your SIEM to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ecleanmgr.exe\u003c/code\u003e and \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments, focusing on executions outside the standard system directories.\u003c/li\u003e\n\u003cli\u003eReview and harden scheduled tasks to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnsure that UAC settings are properly configured and enforced across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-uac-bypass-diskcleanup/","summary":"Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.","title":"UAC Bypass via DiskCleanup Scheduled Task Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-diskcleanup/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","eventlog"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers often disable Windows Event and Security Logs to evade detection on compromised systems. This activity involves tampering with, clearing, and deleting event log data to break SIEM detections, cover their tracks, and slow down incident response. The methods employed include using the \u003ccode\u003elogman\u003c/code\u003e utility, PowerShell commands to disable the EventLog service, or \u003ccode\u003eauditpol\u003c/code\u003e to disable auditing. These actions are typically performed after initial access and privilege escalation to hinder forensic investigations and maintain persistence within the environment. Defenders should monitor for these specific tools and command-line arguments to identify potential attempts to disable logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to administrator level to gain the necessary permissions to modify event logging settings.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003elogman.exe\u003c/code\u003e with arguments to stop or delete EventLog traces (e.g., \u003ccode\u003elogman.exe stop EventLog-*\u003c/code\u003e, \u003ccode\u003elogman.exe delete EventLog-*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses PowerShell with \u003ccode\u003eSet-Service\u003c/code\u003e cmdlet to disable the EventLog service (e.g., \u003ccode\u003epowershell.exe Set-Service EventLog -StartupType Disabled\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker can also use \u003ccode\u003eauditpol.exe\u003c/code\u003e to disable auditing policies, preventing future events from being logged (e.g., \u003ccode\u003eauditpol.exe /success:disable\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAfter disabling logging, the attacker performs malicious activities such as lateral movement, data exfiltration, or malware deployment, with a reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe attacker removes traces of their activity from other logs if possible.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and continues to exploit the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Event and Security Logs can severely hinder incident response and forensic investigations. The absence of log data makes it difficult to detect ongoing malicious activity, understand the scope of the compromise, and attribute the attack. This can lead to prolonged dwell time for attackers, increased data exfiltration, and greater overall damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disable Windows Event and Security Logs Using Built-in Tools\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003elogman.exe\u003c/code\u003e, PowerShell, and \u003ccode\u003eauditpol.exe\u003c/code\u003e with specific arguments related to disabling event logs.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003elogman.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003epowershell_ise.exe\u003c/code\u003e, and \u003ccode\u003eauditpol.exe\u003c/code\u003e with command-line arguments that indicate an attempt to disable event logging.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed command-line arguments for process monitoring.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Group Policy settings related to event logging to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor for changes to the EventLog service configuration, including startup type and status, using system monitoring tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T10:00:00Z","date_published":"2024-01-04T10:00:00Z","id":"/briefs/2024-01-disable-windows-logs/","summary":"Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.","title":"Disable Windows Event and Security Logs Using Built-in Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-windows-logs/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["credential-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies the creation of symbolic links to shadow copies on Windows systems. Attackers use this technique to gain access to sensitive files stored within shadow copies, including the ntds.dit file (containing password hashes), system boot keys, and browser offline credentials. This approach allows them to bypass normal file access controls and extract credentials for lateral movement or privilege escalation. The detection rule is designed to ingest data from various sources, including Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs, providing broad coverage across different endpoint security solutions. The activity is typically initiated by command-line tools like cmd.exe or powershell.exe, making detection through process monitoring feasible. This technique is particularly relevant as it targets credential dumping, a critical stage in many attack campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative rights, which are required to create shadow copies and symbolic links.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a volume shadow copy using \u003ccode\u003evssadmin.exe\u003c/code\u003e or similar tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emklink\u003c/code\u003e command or PowerShell \u003ccode\u003eNew-Item -ItemType SymbolicLink\u003c/code\u003e to create a symbolic link to the shadow copy path.\u003c/li\u003e\n\u003cli\u003eThe symbolic link points to a directory within the shadow copy containing sensitive files like \u003ccode\u003entds.dit\u003c/code\u003e or browser credential stores.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the targeted sensitive files (e.g., \u003ccode\u003entds.dit\u003c/code\u003e) from the shadow copy using the symbolic link.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the shadow copy to cover their tracks, although the symbolic link creation remains as evidence.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials from the copied \u003ccode\u003entds.dit\u003c/code\u003e file offline for use in lateral movement or further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to sensitive credentials stored on the compromised system. This can lead to lateral movement within the network, privilege escalation, and ultimately, the compromise of critical assets. If the \u003ccode\u003entds.dit\u003c/code\u003e file is accessed, the entire Active Directory domain could be at risk, potentially affecting thousands of users and systems. This type of attack is particularly damaging as it allows attackers to operate undetected for extended periods while they harvest credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Symbolic Link to Shadow Copy Created via Cmd\u0026rdquo; to detect the creation of symbolic links to shadow copies via \u003ccode\u003ecmd.exe\u003c/code\u003e (rules).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Symbolic Link to Shadow Copy Created via PowerShell\u0026rdquo; to detect the creation of symbolic links to shadow copies via \u003ccode\u003epowershell.exe\u003c/code\u003e (rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) logging to provide necessary data for the Sigma rules to function correctly (setup).\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;Investigating Symbolic Link to Shadow Copy Created\u0026rdquo; section in the rule\u0026rsquo;s notes for triage and analysis steps when the rule triggers.\u003c/li\u003e\n\u003cli\u003eMonitor for the usage of \u003ccode\u003emklink\u003c/code\u003e command with the \u003ccode\u003eHarddiskVolumeShadowCopy\u003c/code\u003e argument in process command lines.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-shadow-copy-symlink/","summary":"Adversaries may create symbolic links to shadow copies to access sensitive files such as ntds.dit and browser credentials, enabling credential dumping using cmd.exe or powershell.exe.","title":"Symbolic Link Creation to Shadow Copies for Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-01-shadow-copy-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Windows"],"_cs_severities":["low"],"_cs_tags":["discovery","account-discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eAttackers often perform reconnaissance activities within a compromised environment to understand the available resources and potential targets. This reconnaissance helps them plan subsequent actions, such as privilege escalation and lateral movement. This activity involves using built-in Windows utilities like \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e to enumerate administrator-related user accounts and groups. This information can reveal potential targets for credential compromise or other post-exploitation activities. Lower privileged accounts commonly perform this enumeration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e with arguments to list users and groups.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output for administrator-related keywords like \u0026ldquo;admin\u0026rdquo;, \u0026ldquo;Domain Admins\u0026rdquo;, \u0026ldquo;Enterprise Admins\u0026rdquo;, \u0026ldquo;Remote Desktop Users\u0026rdquo;, or \u0026ldquo;Organization Management\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e to query user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from \u003ccode\u003ewmic.exe\u003c/code\u003e to identify administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged accounts to target for credential theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the identified accounts to perform lateral movement or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of administrator accounts allows an attacker to identify high-value targets within the environment. This can lead to credential theft, privilege escalation, lateral movement, and ultimately, unauthorized access to sensitive data or systems. While the risk score is low, this activity serves as a precursor to more serious compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e commands with arguments related to user and group enumeration using the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of lower-privileged accounts executing these commands and filter out authorized administrative accounts performing the same actions.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture the necessary events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:14:00Z","date_published":"2024-01-03T17:14:00Z","id":"/briefs/2024-01-admin-recon/","summary":"Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.","title":"Windows Account Discovery of Administrator Accounts","url":"https://feed.craftedsignal.io/briefs/2024-01-admin-recon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","mimikatz","memssp","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the creation of the \u003ccode\u003emimilsa.log\u003c/code\u003e file, a default log generated by the Mimikatz \u003ccode\u003emisc::memssp\u003c/code\u003e module. The \u003ccode\u003emisc::memssp\u003c/code\u003e module injects a malicious Security Support Provider (SSP) into the Local Security Authority Subsystem Service (LSASS) process. This injected SSP logs credentials from subsequent logons to the compromised host, allowing attackers to capture sensitive information. The creation of this log file is a strong indicator of credential access attempts and the potential compromise of user accounts and system security. This rule is designed for data generated by Elastic Defend and also supports data from CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Mimikatz or a similar tool with the \u003ccode\u003emisc::memssp\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMimikatz injects a malicious SSP library (e.g., \u003ccode\u003emimilib.dll\u003c/code\u003e) into the LSASS process (\u003ccode\u003elsass.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected SSP hooks into the authentication process.\u003c/li\u003e\n\u003cli\u003eWhen users log on to the system, the SSP captures their credentials.\u003c/li\u003e\n\u003cli\u003eThe captured credentials are written to the \u003ccode\u003emimilsa.log\u003c/code\u003e file, typically located in \u003ccode\u003eC:\\Windows\\System32\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003emimilsa.log\u003c/code\u003e file to obtain the captured credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to escalate privileges, move laterally within the network, and access sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Mimikatz MemSSP attack can lead to the compromise of user accounts, including those with administrative privileges. This allows attackers to gain unauthorized access to sensitive data, systems, and resources within the organization. Lateral movement becomes easier, potentially impacting a large number of systems. The compromised credentials can also be used for external attacks, such as gaining access to cloud services or other external resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMimikatz Memssp Log File Detected\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging to detect the creation of \u003ccode\u003emimilsa.log\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process that created the log file and any subsequent file access.\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of \u003ccode\u003emimilib.dll\u003c/code\u003e and any LSA Security Packages registry modifications, as these may indicate persistent SSP installation.\u003c/li\u003e\n\u003cli\u003eReview and restrict interactive logons to high-value hosts to minimize the potential for credential theft.\u003c/li\u003e\n\u003cli\u003eInvestigate related alerts for the same \u003ccode\u003ehost.id\u003c/code\u003e in the last 48 hours covering delivery, privilege escalation, LSASS access, persistence, lateral movement, or additional credential access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-mimikatz-memssp-log/","summary":"This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.","title":"Mimikatz MemSSP Log File Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-mimikatz-memssp-log/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Subsystem for Linux","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["medium"],"_cs_tags":["wsl","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may leverage the Windows Subsystem for Linux (WSL) to evade detection by operating within a Linux environment on a Windows host. The installation of a new WSL distribution involves specific registry modifications. This rule identifies such modifications, providing an alert when a new WSL distribution is installed. This is important for defenders as it could signal an attacker setting up a persistent and potentially hidden environment for malicious activities. WSL allows attackers to utilize Linux tools and techniques on a Windows system, potentially bypassing traditional Windows-based security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows system through existing vulnerabilities or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker elevates their privileges to perform system-level changes, including registry modifications.\u003c/li\u003e\n\u003cli\u003eWSL Installation: The attacker initiates the installation of a WSL distribution. This may involve downloading and executing a WSL installer package.\u003c/li\u003e\n\u003cli\u003eRegistry Modification: During installation, the system modifies the registry to configure and register the new WSL distribution. Specifically, keys under \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\\u003c/code\u003e are created/modified.\u003c/li\u003e\n\u003cli\u003eWSL Environment Setup: The attacker configures the installed WSL distribution, potentially installing additional tools and software needed for their objectives.\u003c/li\u003e\n\u003cli\u003eExecution of Malicious Activities: The attacker executes malicious commands and scripts within the WSL environment, leveraging Linux tools to perform actions such as lateral movement, data exfiltration, or persistence.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker utilizes WSL to evade detection, as traditional Windows-based security tools may not effectively monitor or analyze activity within the Linux subsystem.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence within the WSL environment, ensuring continued access to the compromised system even after reboots or security updates.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a hidden and persistent environment within the compromised Windows system. This can lead to data theft, system compromise, and further propagation of the attack within the network. The number of victims and affected sectors depends on the scope and objectives of the attacker. The use of WSL for malicious purposes can significantly complicate incident response and remediation efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WSL Installation via Registry Modification\u0026rdquo; to your SIEM to detect new WSL installations by monitoring registry changes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rule to function correctly (see setup instructions in the rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the WSL installation and identify potential malicious activities.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of suspicious processes within WSL environments, as described in \u0026ldquo;Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T16:00:00Z","date_published":"2024-01-03T16:00:00Z","id":"/briefs/2024-01-wsl-registry-modification/","summary":"This rule detects registry modifications indicative of a new Windows Subsystem for Linux (WSL) distribution installation, a technique adversaries may leverage to evade detection by utilizing Linux environments within Windows.","title":"Windows Subsystem for Linux Distribution Installed via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["boot-configuration","bcdedit","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of \u003ccode\u003ebcdedit.exe\u003c/code\u003e with specific arguments that modify the boot configuration data (BCD) store in Windows systems. Attackers or malware may use this technique to disable Windows Error Recovery (\u003ccode\u003erecoveryenabled\u003c/code\u003e) or to ignore errors during the boot process (\u003ccode\u003ebootstatuspolicy ignoreallfailures\u003c/code\u003e). These modifications are often performed to prevent systems from recovering properly after an attack, particularly in ransomware scenarios. The rule is designed to work with data from Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon. The detection logic focuses on process execution events that include the relevant \u003ccode\u003ebcdedit.exe\u003c/code\u003e command-line arguments. Defenders should be aware of legitimate uses of \u003ccode\u003ebcdedit.exe\u003c/code\u003e by administrators for troubleshooting or data recovery purposes, so context is crucial.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain administrative access, required to modify boot configuration settings.\u003c/li\u003e\n\u003cli\u003eReconnaissance: The attacker performs reconnaissance to identify the system\u0026rsquo;s configuration and identify appropriate targets for modification.\u003c/li\u003e\n\u003cli\u003eDisable Recovery: The attacker uses \u003ccode\u003ebcdedit.exe\u003c/code\u003e to disable Windows Error Recovery using the \u003ccode\u003e/set {default} recoveryenabled No\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eIgnore Boot Failures: The attacker uses \u003ccode\u003ebcdedit.exe\u003c/code\u003e to set the boot status policy to ignore all failures using the \u003ccode\u003e/set {default} bootstatuspolicy ignoreallfailures\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eSystem Impact: By modifying the boot configuration, the attacker inhibits system recovery, making it harder for the system to recover from errors or malicious activity.\u003c/li\u003e\n\u003cli\u003ePayload Execution: The attacker deploys and executes the primary malicious payload, such as ransomware, leveraging the modified boot configuration to maximize impact.\u003c/li\u003e\n\u003cli\u003eFinal Objective: The attacker achieves their final objective, which could include data encryption, data theft, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of boot configuration data can lead to significant system instability and data loss. In ransomware attacks, this technique prevents the system from recovering, increasing the likelihood of the victim paying the ransom. While the exact number of affected organizations is unknown, this technique is widely used in ransomware campaigns and can affect any Windows system if successfully executed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Modification of Boot Configuration\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect the malicious use of \u003ccode\u003ebcdedit.exe\u003c/code\u003e described in this brief.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture \u003ccode\u003ebcdedit.exe\u003c/code\u003e executions and their command-line arguments (Sysmon Event ID 1).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003ebcdedit.exe\u003c/code\u003e modifying boot configuration settings to determine legitimacy, as described in the rule\u0026rsquo;s \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for unexpected processes running \u003ccode\u003ebcdedit.exe\u003c/code\u003e with arguments related to disabling recovery or ignoring boot failures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-bcdedit-boot-config-modification/","summary":"This rule identifies the use of bcdedit.exe to modify boot configuration data, which may be indicative of a destructive attack or ransomware activity aimed at inhibiting system recovery by disabling error recovery or ignoring boot failures.","title":"Detection of Bcdedit Boot Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-bcdedit-boot-config-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["impact","backup-deletion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers, including ransomware groups, often attempt to remove or impair an organization\u0026rsquo;s ability to recover from an attack. One method to achieve this is by deleting Windows backup catalogs and system state backups using the \u003ccode\u003ewbadmin.exe\u003c/code\u003e utility. Windows Server Backup stores details about backups (what volumes are backed up and where the backups are located) in a backup catalog. Removing these catalogs renders backups unusable for recovery, increasing the impact of the attack. This technique is frequently observed in ransomware playbooks and other destructive attacks targeting Windows environments. This activity can be detected using endpoint detection and response (EDR) solutions, Windows Security Event Logs, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to administrator level to execute wbadmin.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003edelete catalog\u003c/code\u003e command to remove backup catalogs.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003edelete systemstatebackup\u003c/code\u003e command to remove system state backups.\u003c/li\u003e\n\u003cli\u003eThe attacker may also delete shadow copies using \u003ccode\u003evssadmin.exe\u003c/code\u003e or \u003ccode\u003ewmic.exe\u003c/code\u003e to further hinder recovery.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware or initiates other destructive actions.\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts or destroys data on the system and connected network shares.\u003c/li\u003e\n\u003cli\u003eThe attacker demands a ransom payment for data recovery, which is complicated by the deleted backups.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of backup catalogs and system state backups significantly impairs an organization\u0026rsquo;s ability to recover from a ransomware attack or other destructive event. This can lead to prolonged downtime, data loss, and financial losses associated with incident response and recovery efforts. While the number of direct victims of this specific technique is difficult to quantify, the impact is typically observed in conjunction with broader ransomware campaigns affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging with Event ID 1 to capture \u003ccode\u003ewbadmin.exe\u003c/code\u003e executions and activate the first Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for process creation events related to \u003ccode\u003ewbadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003ewbadmin.exe\u003c/code\u003e executing with \u003ccode\u003edelete\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eReview and harden account access controls to prevent unauthorized use of \u003ccode\u003ewbadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-wbadmin-backup-deletion/","summary":"Adversaries may delete Windows backup catalogs and system state backups using wbadmin.exe to inhibit system recovery, often as part of ransomware or other destructive attacks.","title":"Windows Backup Deletion via Wbadmin","url":"https://feed.craftedsignal.io/briefs/2024-01-wbadmin-backup-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["enumeration","wmi","discovery","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can leverage the Windows Management Instrumentation (WMI) to execute commands for reconnaissance and enumeration within a compromised system. This involves spawning native Windows tools via the WMI Provider Service (WMIPrvSE). This activity is often used to gather system and network information in a stealthy manner, which could be part of a larger attack, such as lateral movement or privilege escalation. This behavior matters because it allows adversaries to gather information about the target environment without using easily detectable methods, potentially leading to further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to execute a reconnaissance command.\u003c/li\u003e\n\u003cli\u003eWMIPrvSE.exe is invoked to execute the attacker\u0026rsquo;s specified command.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands such as \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e via WMIPrvSE.exe to gather network configuration details, user information, and system information.\u003c/li\u003e\n\u003cli\u003eThe enumerated information is collected and potentially exfiltrated to a command and control server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to identify further targets within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems using stolen credentials or exploited vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of enumeration commands via WMIPrvSE allows attackers to gather sensitive information about the system and network environment. This information can be used to facilitate lateral movement, privilege escalation, and data theft, potentially leading to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of enumeration commands (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Enumeration Command Spawned via WMIPrvSE\u0026rdquo; to your SIEM to detect suspicious WMIPrvSE activity (Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of WMIPrvSE spawning common enumeration tools such as \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement following successful enumeration (Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-wmiprvse-enumeration/","summary":"This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.","title":"Suspicious Enumeration Commands Spawned via WMIPrvSE","url":"https://feed.craftedsignal.io/briefs/2024-01-wmiprvse-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR","Elastic Endgame","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi-bypass","dll-hijacking","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","CrowdStrike","Elastic"],"content_html":"\u003cp\u003eThe Antimalware Scan Interface (AMSI) is a Windows interface that allows applications and services to integrate with antimalware products. Attackers may attempt to bypass AMSI to execute malicious code without detection. This detection identifies the creation of the AMSI DLL (\u003ccode\u003eamsi.dll\u003c/code\u003e) in unusual locations, which is a common technique used to load a rogue AMSI module instead of the legitimate one. This technique can be used to evade detection by security products that rely on AMSI for scanning potentially malicious scripts and code. The rule is designed to work with data from Winlogbeat, Elastic Endpoint, Sysmon, Endgame, SentinelOne Cloud Funnel, Microsoft Defender XDR, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker determines the location of the legitimate \u003ccode\u003eamsi.dll\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a writable directory where a malicious \u003ccode\u003eamsi.dll\u003c/code\u003e can be placed. This location must be in the search order of applications that use AMSI, such as PowerShell or other scripting hosts.\u003c/li\u003e\n\u003cli\u003eThe attacker copies or creates a malicious \u003ccode\u003eamsi.dll\u003c/code\u003e in the identified location. This rogue DLL is designed to bypass or disable AMSI functionality.\u003c/li\u003e\n\u003cli\u003eA process like PowerShell or another scripting host is launched. Because the malicious \u003ccode\u003eamsi.dll\u003c/code\u003e is in a higher-priority directory, it is loaded instead of the legitimate AMSI library.\u003c/li\u003e\n\u003cli\u003eThe launched process executes malicious code (e.g., PowerShell script).\u003c/li\u003e\n\u003cli\u003eBecause the rogue \u003ccode\u003eamsi.dll\u003c/code\u003e is loaded, AMSI scans are bypassed, allowing the malicious code to execute without detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful AMSI bypass can allow attackers to execute malicious code, such as malware, scripts, or exploits, without detection by antimalware products. This can lead to system compromise, data theft, or other malicious activities. The impact can range from a single compromised endpoint to a wider breach of an organization\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable file creation monitoring with Sysmon or Elastic Defend to detect the creation of files, specifically DLLs, in unusual locations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Antimalware Scan Interface DLL Creation\u0026rdquo; to your SIEM to detect the creation of \u003ccode\u003eamsi.dll\u003c/code\u003e in non-standard paths. Tune the rule for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process, file path, and user context to determine if the activity is malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-amsi-dll-hijack/","summary":"An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.","title":"Suspicious Antimalware Scan Interface DLL Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-dll-hijack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Citrix System32","MSACCESS.EXE","GTInstaller","Elastic Defend","SentinelOne Cloud Funnel","Microsoft Defender XDR","Crowdstrike FDR","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","script-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix","Quokka.Works","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the execution of scripts via HTML applications, leveraging Windows utilities like \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003emshta.exe\u003c/code\u003e. Attackers often use this method to bypass process and signature-based defenses by proxying the execution of malicious content through legitimate, signed binaries. The detection focuses on specific command-line arguments and patterns associated with this technique, while also excluding known legitimate uses by applications such as Citrix System32 (\u003ccode\u003ewfshell.exe\u003c/code\u003e), Microsoft Access (\u003ccode\u003eMSACCESS.EXE\u003c/code\u003e), and Quokka.Works (\u003ccode\u003eGTInstaller.exe\u003c/code\u003e). This technique is used by attackers to execute malicious scripts without directly running them, thus evading traditional security measures. The detection rule analyzes process names, command-line arguments, parent processes, and file paths to identify potentially malicious activity indicative of defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through various means (e.g., phishing, drive-by download).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a malicious HTML application (HTA) file or a scriptlet (SCT) file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the malicious HTA or SCT file. The command line includes obfuscated or encoded script content.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e process spawns a child process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, to execute further commands.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious code, such as downloading and executing a payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement by exploiting vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data exfiltration, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise the system, steal sensitive data, deploy ransomware, or establish a persistent foothold. Due to the nature of the technique, it can bypass many traditional security measures. The wide adoption of Windows and the inherent trust placed in signed binaries makes this a potent evasion technique. Failure to detect and prevent this attack can lead to significant financial and reputational damage for the targeted organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Script Execution via Microsoft HTML Application\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e executions. Tune the rule by adding exceptions for known legitimate uses in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the visibility required for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for suspicious arguments like \u0026ldquo;script:eval\u0026rdquo;, \u0026ldquo;WScript.Shell\u0026rdquo;, and \u0026ldquo;mshta http\u0026rdquo; which are indicative of this technique.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e where they are not required for legitimate business purposes.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any identified malicious HTA files or scriptlet URLs found in the command lines of detected processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-script-execution-via-html-app/","summary":"Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.","title":"Script Execution via Microsoft HTML Application","url":"https://feed.craftedsignal.io/briefs/2024-01-script-execution-via-html-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Crowdstrike","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eAttackers are leveraging the Console Window Host (conhost.exe) to proxy execution of commands, using the \u003ccode\u003e--headless\u003c/code\u003e argument to hide malicious activity. This technique allows adversaries to blend in with legitimate Windows processes, making detection more challenging. This behavior, often associated with defense evasion, involves using conhost.exe to execute commands such as PowerShell, cmd.exe, mshta, curl, and scripts. The activity can be seen across multiple environments including endpoints, Windows systems, and cloud platforms like Microsoft Defender XDR and SentinelOne. Defenders must differentiate between legitimate uses of conhost.exe, such as those by Winget-AutoUpdate or OpenSSH, and malicious proxy executions, which could indicate broader compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command that calls conhost.exe with the \u003ccode\u003e--headless\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eConhost.exe is used to proxy the execution of a malicious command, such as PowerShell, cmd.exe, or mshta.\u003c/li\u003e\n\u003cli\u003eThe proxied command downloads a malicious payload from a remote server using tools like curl or bitsadmin.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, establishing persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated from the network to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as deploying ransomware or stealing intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the targeted system and potentially the entire network. This can result in data theft, financial loss, and reputational damage. The use of \u003ccode\u003econhost.exe\u003c/code\u003e for proxy execution makes it difficult to detect malicious activity, potentially allowing attackers to remain undetected for extended periods. The impact could range from individual workstation compromises to large-scale network breaches, affecting potentially hundreds or thousands of systems within an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Proxy Execution via Console Window Host\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect suspicious \u003ccode\u003econhost.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003econhost.exe\u003c/code\u003e with the \u003ccode\u003e--headless\u003c/code\u003e argument, focusing on the command-line arguments to identify potentially malicious commands.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003econhost.exe\u003c/code\u003e executing suspicious scripts, downloaders, or task scheduler modifications to identify potential threats.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed process execution information, as recommended in the setup instructions linked in the overview.\u003c/li\u003e\n\u003cli\u003eReview the investigation fields in the brief to understand the key data points for analyzing potential proxy execution attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-conhost-proxy-exec/","summary":"Adversaries abuse the Console Window Host (conhost.exe) with the `--headless` argument to proxy execution of malicious commands, evading detection by blending in with legitimate Windows software.","title":"Conhost Proxy Execution for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-conhost-proxy-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly use the \u003ccode\u003enetsh.exe\u003c/code\u003e utility, a command-line scripting tool, to manage network configurations. Abusers leverage \u003ccode\u003enetsh.exe\u003c/code\u003e to disable or modify Windows Firewall rules, a built-in host-based firewall. This manipulation weakens the system\u0026rsquo;s defenses, allowing unauthorized network traffic and enabling lateral movement within the compromised environment. The activity allows for command and control communications and unhindered exploitation of internal resources. Defenders must monitor \u003ccode\u003enetsh.exe\u003c/code\u003e executions for unexpected firewall modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to a level sufficient to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses reconnaissance techniques to identify existing firewall rules.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003enetsh.exe\u003c/code\u003e to disable specific firewall rules, using commands like \u003ccode\u003enetsh advfirewall firewall set rule name=\u0026quot;rule_name\u0026quot; new enable=no\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: Alternatively, the attacker disables the entire firewall using \u003ccode\u003enetsh advfirewall set allprofiles state off\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eLateral Movement: With the firewall weakened, the attacker moves laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes command and control channels, which may now be unimpeded by firewall rules.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objectives, such as data exfiltration, ransomware deployment, or further compromise of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Firewall rules can lead to significant security breaches. Attackers can move laterally within the network, compromise additional systems, and exfiltrate sensitive data. The impact can range from data loss and financial damage to reputational harm and legal consequences. The defense evasion enables attackers to establish persistent command and control channels, maintain a long-term presence within the compromised environment and conduct further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor \u003ccode\u003enetsh.exe\u003c/code\u003e executions and related command-line arguments to support detections.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect attempts to disable Windows Firewall rules via \u003ccode\u003enetsh.exe\u003c/code\u003e. Tune the rules for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on identifying the user account, process execution chain, and the specific firewall rules being modified.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the number of users with the privileges necessary to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit firewall configurations to ensure they are properly configured and have not been tampered with.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-disable-windows-firewall-rules/","summary":"Detection of adversaries disabling Windows Firewall rules using the `netsh.exe` command-line tool to weaken defenses and facilitate unauthorized network activity.","title":"Windows Firewall Disabled via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-windows-firewall-rules/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","openssh","application-control-bypass"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to execute commands through a proxy using the Windows OpenSSH client (ssh.exe or sftp.exe). Attackers may abuse this behavior to evade application control policies by leveraging the trusted Windows OpenSSH binaries. The technique involves using the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e options with the OpenSSH client to execute arbitrary commands on the target system. The rule focuses on detecting command lines containing potentially malicious commands such as PowerShell, schtasks, mshta, msiexec, cmd, or script execution, indicating a possible attempt to bypass security measures. The detection logic is applicable to Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the Windows OpenSSH client (ssh.exe or sftp.exe) with either the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e parameter specifies a command to be executed locally on the system.\u003c/li\u003e\n\u003cli\u003eThe command includes potentially malicious payloads such as PowerShell commands, scheduled tasks manipulation (schtasks), or execution of other LOLBINs (Living Off the Land Binaries) like mshta or msiexec.\u003c/li\u003e\n\u003cli\u003eThe OpenSSH client executes the specified command.\u003c/li\u003e\n\u003cli\u003eThe malicious command performs actions such as downloading and executing additional payloads, creating scheduled tasks for persistence, or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as gaining further access to the system, escalating privileges, or deploying malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the affected system. Attackers can bypass application control mechanisms, execute arbitrary code, and establish persistence. This can result in data theft, system disruption, or further propagation of the attack within the network. The severity of the impact depends on the privileges of the account running the OpenSSH client and the specific actions performed by the malicious commands.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to capture the execution of ssh.exe and sftp.exe with malicious parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProxy Execution via Windows OpenSSH\u003c/code\u003e to your SIEM to detect suspicious OpenSSH client executions with malicious commands in the command line.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of child processes from ssh.exe or sftp.exe, as this can indicate the execution of malicious commands specified in the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e options.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of \u003ccode\u003ePermitLocalCommand\u003c/code\u003e in OpenSSH server configurations to prevent attackers from executing commands locally on the system after a connection is established.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-openssh-proxy-execution/","summary":"Detection of command execution via proxy using the Windows OpenSSH client (ssh.exe or sftp.exe) to bypass application control using trusted Windows binaries.","title":"Proxy Execution via Windows OpenSSH Client","url":"https://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","user-account-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may create new accounts (both local and domain) to maintain access to victim systems. This rule identifies the usage of \u003ccode\u003enet.exe\u003c/code\u003e to create new accounts on Windows systems. The detection logic focuses on process execution events where \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e are executed with arguments indicative of user creation, specifically the \u0026lsquo;user\u0026rsquo; argument in conjunction with either the \u0026lsquo;/ad\u0026rsquo; or \u0026lsquo;/add\u0026rsquo; flags. While account creation is a common administrative task, suspicious executions, especially those initiated by unusual parent processes or accounts, warrant further investigation. This rule is designed for data generated by Elastic Defend but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, enhancing its applicability across various security environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a command prompt or PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e to create a new user account. The command includes the \u003ccode\u003euser\u003c/code\u003e argument along with \u003ccode\u003e/add\u003c/code\u003e or \u003ccode\u003e/ad\u003c/code\u003e flags. For example: \u003ccode\u003enet user \u0026lt;username\u0026gt; \u0026lt;password\u0026gt; /add\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may add the newly created user to privileged groups, such as \u003ccode\u003eAdministrators\u003c/code\u003e or \u003ccode\u003eDomain Admins\u003c/code\u003e, to elevate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the new account to move laterally within the network, accessing sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by configuring the new account to be a service account or adding it to local administrator groups.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and long-term persistence on compromised systems. The impact is often determined by the privileges assigned to the newly created account. If the attacker adds the account to the \u003ccode\u003eAdministrators\u003c/code\u003e group, they can effectively take full control of the affected system. In a domain environment, creating a domain account can lead to wider compromise across the entire network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary events for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e creating user accounts, especially when initiated by unusual parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor for newly created accounts being added to privileged groups.\u003c/li\u003e\n\u003cli\u003eReview the triage and analysis steps in the rule\u0026rsquo;s original documentation for guidance on investigating and responding to potential incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-user-account-creation/","summary":"This rule identifies attempts to create new users on Windows systems using net.exe, a common tactic used by attackers to increase access or establish persistence.","title":"Windows User Account Creation via Net.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-user-account-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","wsl","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","CrowdStrike"],"content_html":"\u003cp\u003eAttackers may enable the Windows Subsystem for Linux (WSL) to run Linux applications and tools directly on Windows, potentially bypassing security controls and hindering detection. This involves using the Dism.exe utility to enable the \u0026ldquo;Microsoft-Windows-Subsystem-Linux\u0026rdquo; feature. By leveraging WSL, adversaries can execute malicious code, access Windows resources, and perform various malicious activities while blending in with legitimate system processes. The use of WSL provides an environment where traditional Windows-based security solutions may have limited visibility, thus offering a way to evade detection. This activity has been observed as a post-exploitation technique, used after initial access to a compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes Dism.exe (Deployment Image Servicing and Management tool).\u003c/li\u003e\n\u003cli\u003eDism.exe is invoked with the command-line argument to enable the \u0026ldquo;Microsoft-Windows-Subsystem-Linux\u0026rdquo; feature.\u003c/li\u003e\n\u003cli\u003eThe system processes the Dism.exe command and enables WSL.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a Linux distribution (e.g., Ubuntu, Kali) within the WSL environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the WSL environment to execute Linux-based tools and scripts for reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the WSL environment to interact with Windows resources or execute Windows commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing sensitive data or establishing persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enablement of WSL can lead to a compromised Windows system being used as a platform for Linux-based attacks. This can result in data theft, system compromise, and further propagation of malicious activity within the network. The use of WSL can make it difficult to detect malicious activity since it allows attackers to blend Linux-based attacks with normal Windows operations. The lack of visibility into the WSL environment by traditional Windows security tools can lead to prolonged periods of undetected malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003eDism.exe\u003c/code\u003e with command-line arguments that include \u003ccode\u003eMicrosoft-Windows-Subsystem-Linux\u003c/code\u003e to detect WSL enablement attempts (see Sigma rule \u003ccode\u003eDetect WSL Enablement via Dism\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed command-line information for processes, which is crucial for detecting this activity (Sysmon Event ID 1).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious usage of the DISM utility to enable WSL. Tune the rule based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eDetect WSL Enablement via Dism\u003c/code\u003e to determine the legitimacy of the activity.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from WSL processes for suspicious outbound traffic.\u003c/li\u003e\n\u003cli\u003eConsider blocking the execution of Dism.exe if WSL is not a sanctioned tool in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-enabled-via-dism/","summary":"Adversaries may enable and use Windows Subsystem for Linux (WSL) using the Microsoft Dism utility to evade detection on Windows systems by running Linux applications and tools.","title":"Windows Subsystem for Linux Enabled via Dism Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-enabled-via-dism/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe legacy Windows AT command allows scheduling tasks for execution. While deprecated since Windows 8 and Windows Server 2012, it remains present for backwards compatibility. Attackers may enable the AT command through registry modifications to achieve persistence or lateral movement within a network. This technique bypasses modern security controls and can be difficult to detect without specific monitoring. The detection rule monitors registry changes enabling this command, flagging potential misuse by checking specific registry paths and values indicative of enabling the AT command. The use of this command allows an attacker to execute commands with elevated privileges, potentially compromising the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enable the AT command by modifying the registry.\u003c/li\u003e\n\u003cli\u003eThe registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e is modified to a value of \u0026ldquo;1\u0026rdquo; or \u0026ldquo;0x00000001\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AT command to schedule a malicious task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a command or script, such as downloading and executing malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eEnabling the AT command can lead to unauthorized task scheduling, malware execution, persistence, and lateral movement within a network. Successful exploitation can compromise sensitive data, disrupt operations, and grant attackers persistent access to critical systems. The use of a deprecated command makes it harder to detect, increasing the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry events for modifications to \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e as described in the rule overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and registry event logging to activate the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-at-command-enabled/","summary":"Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.","title":"Windows Scheduled Tasks AT Command Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-at-command-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers can leverage the \u003ccode\u003enetsh.exe\u003c/code\u003e utility to modify Windows Firewall settings, specifically enabling Network Discovery. This setting allows a host to broadcast its presence and services, making it easier for attackers to identify potential targets within the network for lateral movement. The behavior is often a post-exploitation technique to weaken host-based defenses after gaining initial access. The modification uses netsh.exe, a command-line scripting utility for managing network configurations. This activity can be easily scripted and automated, making it a common step in reconnaissance and lateral movement playbooks. Defenders should monitor for unauthorized use of \u003ccode\u003enetsh.exe\u003c/code\u003e to modify firewall settings.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Windows host.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e is used to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe specific command executed enables Network Discovery using the \u003ccode\u003enetsh advfirewall firewall set rule group=\u0026quot;Network Discovery\u0026quot; new enable=Yes\u003c/code\u003e syntax.\u003c/li\u003e\n\u003cli\u003eThe firewall rule group \u0026ldquo;Network Discovery\u0026rdquo; is modified to allow inbound and outbound traffic.\u003c/li\u003e\n\u003cli\u003eThe compromised host begins sending out broadcast messages, advertising its presence and services on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the information gathered to identify other vulnerable systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems based on the discovery information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to easily enumerate and identify other vulnerable systems within the network. This can lead to rapid lateral movement, further compromising the environment. The risk is heightened when the compromised host has access to sensitive data or critical systems. There is no specific victim count or sector targeted mentioned in the provided source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Enable Host Network Discovery via Netsh\u0026rdquo; to your SIEM to detect the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to enable network discovery (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable Windows Firewall logging and monitor for changes to firewall rules, specifically those related to Network Discovery.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel and systems only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-enable-network-discovery/","summary":"Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.","title":"Windows Host Network Discovery Enabled via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-enable-network-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","CrowdStrike","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","firewall","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often attempt to disable or modify system firewalls to evade network restrictions and facilitate lateral movement within a compromised environment. The Windows Firewall, a built-in component, provides host-based traffic filtering. Disabling it allows unrestricted communication, aiding command and control activities and hindering detection efforts. This activity is commonly achieved through PowerShell, leveraging cmdlets like \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e. The rule focuses on detecting the use of this specific cmdlet to disable the Windows Firewall, alerting defenders to potential defense evasion attempts. This technique is valuable to attackers across various attack vectors, especially after initial access has been established.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through methods such as phishing or exploiting a vulnerability in a network-facing application.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if necessary): The attacker escalates privileges to gain the necessary permissions to modify firewall settings.\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker executes PowerShell, either through an interactive session or a script.\u003c/li\u003e\n\u003cli\u003eDisable Firewall Profile: The attacker uses the \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e cmdlet with parameters such as \u003ccode\u003e-Enabled False\u003c/code\u003e to disable the firewall for all, public, domain, or private profiles.\u003c/li\u003e\n\u003cli\u003eNetwork Reconnaissance: With the firewall disabled, the attacker performs network reconnaissance to identify valuable assets and potential lateral movement paths.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker moves laterally to other systems on the network, exploiting trust relationships or vulnerabilities.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes command and control channels to communicate with compromised systems and exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or continues to exploit the environment based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of the Windows Firewall can lead to unrestricted lateral movement within a network, allowing attackers to compromise additional systems and exfiltrate sensitive data. This can result in data breaches, financial losses, and reputational damage. While the source does not specify the number of affected organizations, any environment relying on Windows Firewall for network segmentation is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the use of \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e with the \u003ccode\u003e-Enabled False\u003c/code\u003e parameter (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows endpoints to capture PowerShell executions (reference the logsource in the Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the firewall modification activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to limit the number of users with permissions to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional network segmentation and monitoring controls to detect and prevent lateral movement even if the Windows Firewall is disabled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-firewall-disable/","summary":"Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.","title":"Windows Firewall Disabled via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-firewall-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to evade detection by modifying Windows Defender\u0026rsquo;s configuration to exclude specific files, folders, or processes from scanning. This is often achieved by using PowerShell commands to add exclusions. The tactic allows malware to operate without being detected by the built-in antivirus solution. Observed as early as 2018 with Trickbot disabling Windows Defender, this technique remains relevant today. This activity can be performed using \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e commands in PowerShell, specifying exclusions by path or process name. Detecting these modifications is critical for maintaining the integrity of endpoint security. The scope of targeting ranges from individual workstations to entire networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via an undisclosed method.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e cmdlet to add an exclusion.\u003c/li\u003e\n\u003cli\u003eThe exclusion specifies a file path, folder, or process that should be ignored by Windows Defender.\u003c/li\u003e\n\u003cli\u003eWindows Defender is reconfigured to ignore the specified item.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or executes malware in the excluded location.\u003c/li\u003e\n\u003cli\u003eThe malware operates without interference from Windows Defender.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to operate undetected on compromised systems, leading to potential data breaches, lateral movement within the network, and deployment of ransomware. While the exact number of victims is unknown, this technique is widely used by various threat actors, impacting organizations across various sectors. The lack of detection can lead to prolonged periods of compromise, increasing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Windows Defender Exclusions Added via PowerShell\u0026rdquo; to your SIEM to detect suspicious PowerShell commands used to add exclusions.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line auditing to capture the necessary event data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly review Windows Defender exclusion lists to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell process that uses \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e with exclusion parameters, as identified by the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for processes and file modifications within excluded directories.\u003c/li\u003e\n\u003cli\u003eConfigure alerts to notify security teams when new Windows Defender exclusions are added.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-exclusion-powershell/","summary":"Adversaries may attempt to bypass Windows Defender's capabilities by using PowerShell to add exclusions for folders or processes, and this activity can be detected by monitoring PowerShell command lines that use `Add-MpPreference` or `Set-MpPreference` with exclusion parameters.","title":"Windows Defender Exclusions Added via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-exclusion-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["low"],"_cs_tags":["persistence","registry_modification","werfault"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can abuse the Windows Error Reporting (Werfault) service to establish persistence on a compromised system. This is achieved by modifying the ReflectDebugger registry key. When Werfault is executed with the \u003ccode\u003e-pr\u003c/code\u003e parameter, it will execute the debugger specified in the ReflectDebugger registry key. This allows attackers to execute arbitrary code every time the Windows Error Reporting utility is triggered. The technique involves modifying specific registry paths associated with the ReflectDebugger. This behavior has been documented as a persistence mechanism in malware analysis reports.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify the Windows Error Reporting ReflectDebugger registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ReflectDebugger value within one of the following registry paths: \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e, \u003ccode\u003e\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e, or \u003ccode\u003eMACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the ReflectDebugger value to a malicious executable or script.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers Werfault.exe with the \u003ccode\u003e-pr\u003c/code\u003e parameter, either manually or through a system event.\u003c/li\u003e\n\u003cli\u003eWerfault.exe executes the attacker-controlled code specified in the ReflectDebugger registry value.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, as the malicious code is executed each time Werfault is triggered with the \u003ccode\u003e-pr\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence on the targeted system. This can lead to the execution of arbitrary code, potentially resulting in data theft, further malware installation, or complete system compromise. The impact is limited by the permissions of the Werfault process. While no specific victim counts are available, this technique can affect any Windows system where the attacker can modify the registry.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWerfault ReflectDebugger Registry Modification\u003c/code\u003e to detect unauthorized modifications to the ReflectDebugger registry key (logsource: \u003ccode\u003eregistry_set\u003c/code\u003e, rule title).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect the execution of Werfault with the \u003ccode\u003e-pr\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the specific ReflectDebugger paths mentioned in the overview section (\u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-werfault-reflectdebugger-persistence/","summary":"Attackers may establish persistence by modifying the ReflectDebugger registry key associated with Windows Error Reporting to execute arbitrary code when Werfault is invoked with the '-pr' parameter.","title":"Werfault ReflectDebugger Persistence via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-werfault-reflectdebugger-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Elastic Endgame","Windows Security Event Logs","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["execution","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike"],"content_html":"\u003cp\u003eThe rule detects suspicious usage of \u003ccode\u003emofcomp.exe\u003c/code\u003e, a command-line tool used to compile Managed Object Format (MOF) files. Attackers can abuse MOF files to manipulate the Windows Management Instrumentation (WMI) repository by building malicious WMI scripts for persistence or execution. This can be achieved by creating their own namespaces and classes within WMI or establishing persistence through WMI Event Subscriptions. The rule identifies unusual mofcomp.exe activity by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes like \u003ccode\u003eScenarioEngine.exe\u003c/code\u003e and system accounts (\u003ccode\u003eS-1-5-18\u003c/code\u003e). This detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, Crowdstrike, and Windows Security Event Logs. The rule aims to detect potential misuse of WMI for malicious purposes, enhancing the visibility of attacker techniques for execution and persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious MOF file to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emofcomp.exe\u003c/code\u003e to compile the malicious MOF file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emofcomp.exe\u003c/code\u003e processes the MOF file, creating new namespaces and classes or modifying existing ones in the WMI repository.\u003c/li\u003e\n\u003cli\u003eIf the MOF file creates a WMI Event Subscription, it triggers the execution of a malicious script or binary when a specific event occurs.\u003c/li\u003e\n\u003cli\u003eThe malicious script or binary executes, performing actions such as installing malware, creating backdoors, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence through the WMI Event Subscription, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via malicious MOF files can lead to persistent access, code execution, and system compromise. Attackers can use this technique to install malware, create backdoors, or steal sensitive data. The rule aims to detect early stages of such attacks, preventing significant damage. By establishing persistence, attackers can maintain long-term control over the compromised system, evading traditional detection methods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious \u003ccode\u003emofcomp.exe\u003c/code\u003e activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and command-line auditing on Windows systems to capture necessary events for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on unusual MOF file paths, parent processes, and user accounts.\u003c/li\u003e\n\u003cli\u003eReview and monitor WMI namespaces and classes for unauthorized modifications or additions following any detected suspicious \u003ccode\u003emofcomp.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mofcomp-activity/","summary":"This rule detects suspicious mofcomp.exe activity, which attackers may leverage MOF files to manipulate the Windows Management Instrumentation (WMI) repository for execution and persistence by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes and system accounts.","title":"Suspicious Mofcomp Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-mofcomp-activity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","registry-modification","ssp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can abuse the Windows Security Support Provider (SSP) mechanism to establish persistence on a compromised system. SSPs are DLLs loaded into the Local Security Authority Subsystem Service (LSASS) process, which handles authentication in Windows. By modifying specific registry keys related to SSP configuration, attackers can force LSASS to load malicious DLLs at startup, effectively creating a persistent backdoor. This technique is often used to maintain unauthorized access to a system even after a reboot. The registry keys of interest are \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e and \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e. Successful exploitation allows the attacker to intercept and manipulate authentication credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through an exploit or compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e to include a path to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e to include a path to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a system reboot, or restarts the LSASS process, causing the malicious SSP DLL to be loaded.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts authentication credentials and exfiltrates them or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system, even after reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence and potentially compromise sensitive credentials handled by LSASS. This can lead to lateral movement within the network, data exfiltration, and further system compromise. The impact is significant as it bypasses standard security measures and provides a persistent foothold for malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious SSP Registry Modification\u0026rdquo; to your SIEM to detect unauthorized modifications to SSP registry keys.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eContinuously monitor for unexpected processes writing to the \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e and \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e registry keys.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installers that frequently modify these registry entries to reduce false positives as mentioned in the brief.\u003c/li\u003e\n\u003cli\u003eEnsure access controls and permissions are strictly enforced to limit unauthorized modification of critical registry paths related to Security Support Providers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-ssp-registry-modification/","summary":"Adversaries may modify the Windows Security Support Provider (SSP) configuration in the registry to establish persistence or evade defenses.","title":"Suspicious Modifications to Windows Security Support Provider (SSP) Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-ssp-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Antimalware Service Executable","Windows Defender","Microsoft Security Client","Elastic Defend","CrowdStrike Falcon","Microsoft Defender XDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances. Attackers may attempt to evade defenses through DLL side-loading or by masquerading as the antimalware process. This technique is used to blend in with legitimate system activity and avoid detection by security tools. This rule is designed to detect instances where MsMpEng.exe is executed from unexpected locations or has been renamed, potentially indicating malicious activity. The rule leverages process monitoring data to identify deviations from the expected execution patterns of the antimalware service. This behavior has been seen associated with ransomware attacks, such as REvil.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious payload onto the system, placing it in a non-standard directory, such as a temporary folder or a user\u0026rsquo;s profile directory.\u003c/li\u003e\n\u003cli\u003eThe attacker renames or copies the legitimate MsMpEng.exe to the malicious payload\u0026rsquo;s location.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed or copied MsMpEng.exe from the non-standard location. This is intended to mimic legitimate activity and evade detection.\u003c/li\u003e\n\u003cli\u003eThe malicious MsMpEng.exe then loads a malicious DLL through DLL side-loading, which executes arbitrary code within the context of the antimalware process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as disabling security controls, escalating privileges, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, including the disabling of security controls, data theft, and ransomware deployment. This can result in significant financial losses, reputational damage, and disruption of business operations. Identifying and responding to this type of attack is critical to prevent further damage. The Sophos article references the REvil ransomware attack which impacted hundreds of businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process execution events, including image path and command-line arguments, which are essential for detecting this behavior.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious MsMpEng.exe execution from unusual paths or renamed instances.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the MsMpEng.exe execution and identify any potential malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances where the process name is \u0026ldquo;MsMpEng.exe\u0026rdquo; but the executable path is outside the standard Windows Defender or Microsoft Security Client directories.\u003c/li\u003e\n\u003cli\u003eReview the references provided for additional context and guidance on investigating this type of activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-windefend-unusual-path/","summary":"Detects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.","title":"Suspicious Microsoft Antimalware Service Executable Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-windefend-unusual-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["solarwinds","defense-evasion","registry-modification","supply-chain"],"_cs_type":"advisory","_cs_vendors":["SolarWinds","Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of SolarWinds processes attempting to disable services by modifying their registry start type. This activity is associated with defense evasion tactics, potentially linked to initial access via supply chain compromise, similar to the SUNBURST campaign. The behavior involves SolarWinds binaries, such as \u003ccode\u003eSolarWinds.BusinessLayerHost*.exe\u003c/code\u003e and \u003ccode\u003eNetFlowService*.exe\u003c/code\u003e, manipulating registry entries related to service start configurations. This technique can be used to impair or disable security tools and services, allowing attackers to operate more freely within a compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the SolarWinds Orion platform, potentially through a supply chain attack.\u003c/li\u003e\n\u003cli\u003eDeployment of a malicious module or payload within the SolarWinds environment.\u003c/li\u003e\n\u003cli\u003eExecution of a SolarWinds process, such as \u003ccode\u003eSolarWinds.BusinessLayerHost*.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SolarWinds process modifies the registry to change the start type of a service.\u003c/li\u003e\n\u003cli\u003eThe registry modification targets the \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\\Start\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eStart\u003c/code\u003e value is set to \u0026ldquo;4\u0026rdquo; or \u0026ldquo;0x00000004\u0026rdquo;, which disables the targeted service.\u003c/li\u003e\n\u003cli\u003eDisabling critical security services allows the attacker to evade detection and further compromise the system.\u003c/li\u003e\n\u003cli\u003eAttacker achieves persistence and performs lateral movement, exfiltrating data or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the disabling of critical security services, such as antivirus, endpoint detection and response (EDR) agents, or other monitoring tools. This can significantly reduce the visibility of malicious activity within the network, potentially leading to data breaches, ransomware deployment, or other severe security incidents. The SolarWinds supply chain compromise affected numerous organizations globally, underscoring the potential impact of this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSolarWinds Process Disabling Services via Registry\u003c/code\u003e to your SIEM to detect registry modifications by SolarWinds processes aimed at disabling services.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden access controls for SolarWinds processes to restrict their ability to modify critical system settings.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the affected service and the timeline of events surrounding the registry modification.\u003c/li\u003e\n\u003cli\u003eUtilize threat intelligence platforms to stay informed about known SolarWinds-related attack patterns and indicators of compromise (IOCs).\u003c/li\u003e\n\u003cli\u003eMonitor endpoints for unusual behavior by SolarWinds processes, including network connections, file modifications, and process creations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-solarwinds-service-disable/","summary":"A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.","title":"SolarWinds Process Disabling Services via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-service-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Work Folders","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eWindows Work Folders is a Microsoft file server role that allows users to sync work files between their PCs and a central server. The WorkFolders.exe process, when called, will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share. Attackers can abuse this functionality by placing a malicious executable renamed to control.exe in a location synced by Work Folders, and then triggering WorkFolders.exe. This can lead to the execution of arbitrary code in a manner that bypasses application control policies, as WorkFolders.exe is a signed Microsoft binary. This technique has been observed in the wild and documented by security researchers. This allows attackers to execute code from locations outside the standard Windows directories, evading traditional detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through an unspecified means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious executable and renames it to \u003ccode\u003econtrol.exe\u003c/code\u003e in a directory accessible to Work Folders.\u003c/li\u003e\n\u003cli\u003eThe attacker configures Windows Work Folders to synchronize the directory containing the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim system synchronizes with the Work Folders server, copying the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e to the local machine.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the \u003ccode\u003eWorkFolders.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWorkFolders.exe\u003c/code\u003e executes the \u003ccode\u003econtrol.exe\u003c/code\u003e binary from the synced folder.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003econtrol.exe\u003c/code\u003e executes, performing attacker-defined actions such as establishing persistence, escalating privileges, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution in a potentially elevated context, leveraging a signed Microsoft binary (\u003ccode\u003eWorkFolders.exe\u003c/code\u003e) to bypass security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on a victim\u0026rsquo;s machine, potentially bypassing application control and other security measures. This can lead to a range of malicious activities, including data theft, system compromise, and lateral movement within the network. Given the legitimate use of Work Folders, identifying malicious executions can be challenging, potentially allowing attackers to maintain a persistent foothold. The lack of specific victim counts or industry targeting details in the source material limits a complete assessment of impact scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations where \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is the parent process and \u003ccode\u003econtrol.exe\u003c/code\u003e is the child process, but \u003ccode\u003econtrol.exe\u003c/code\u003e is not located in a standard Windows system directory (Sigma rule: \u0026ldquo;Detect Suspicious WorkFolders Control Execution\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003econtrol.exe\u003c/code\u003e is executed from unusual or user-writable locations, especially if \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is involved (see Attack Chain step 6).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) on Windows systems to capture the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview the Microsoft documentation on Windows Information Protection (WIP) and consider implementing it to encrypt data on PCs using Work Folders.\u003c/li\u003e\n\u003cli\u003eImplement application control policies that restrict the execution of \u003ccode\u003econtrol.exe\u003c/code\u003e to authorized locations (e.g., \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-workfolders-control-execution/","summary":"Attackers can abuse Windows Work Folders to execute a masqueraded control.exe file from untrusted locations, potentially bypassing application controls for defense evasion and privilege escalation.","title":"Signed Proxy Execution via MS Work Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-03-workfolders-control-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the execution of a process with a single-character process name that differs from the original file name. Adversaries often employ this technique during staging, to execute temporary utilities, or to bypass security detections relying on process names. This behavior is typically observed in Windows environments where attackers attempt to masquerade their activities by renaming legitimate utilities to short, less conspicuous names, making it harder to identify malicious processes based on their name alone. The detection leverages process creation events from Elastic Defend, Microsoft Defender XDR, Crowdstrike, and Sysmon to identify such anomalies. The rule was initially created on 2020-11-15 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker renames a legitimate utility (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to a single-character name such as \u003ccode\u003ea.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe renamed utility \u003ccode\u003ea.exe\u003c/code\u003e is executed, potentially without parameters initially, to test execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the renamed utility \u003ccode\u003ea.exe\u003c/code\u003e to execute commands, download additional payloads, or perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe commands executed by \u003ccode\u003ea.exe\u003c/code\u003e might involve further obfuscation techniques to evade detection, such as base64 encoding or encryption.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the renamed utility to establish persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, using the compromised host as a staging point.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to significant compromise of the target system. By renaming legitimate utilities, attackers can bypass standard security measures that rely on process names for detection. This can result in delayed detection, allowing the attacker to perform further malicious activities such as data theft, installation of malware, or lateral movement within the network. While specific numbers are unavailable, this technique has been observed across various organizations, making it a relevant threat for defenders.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Elastic Defend to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Renamed Utility Execution\u0026rdquo; to your SIEM and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process and command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview the osquery queries in the brief for additional context gathering during incident response.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-renamed-utility-short-name/","summary":"This rule detects the execution of renamed utilities with a single-character process name, differing from the original filename, a common technique used by adversaries for staging, executing temporary utilities, or bypassing security detections.","title":"Renamed Utility Executed with Short Program Name","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-utility-short-name/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","file-download","windows","desktopimgdownldr"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e utility, a legitimate Windows tool for configuring lock screen and desktop images, can be misused by adversaries to download arbitrary files from remote locations. This is achieved by leveraging the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument followed by an HTTP or HTTPS URL. This technique allows attackers to bypass traditional download restrictions and can be used to retrieve malicious payloads, tools, or scripts directly onto a compromised system. This method is particularly effective because \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e is a signed Microsoft binary, potentially evading initial detection based on process name or file reputation. The detection rule was initially created in September 2020 and updated in May 2026. This technique is valuable for attackers seeking to transfer files without using common tools like \u003ccode\u003ecertutil\u003c/code\u003e, \u003ccode\u003epowershell\u003c/code\u003e, or \u003ccode\u003ebitsadmin\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an existing vulnerability, credential compromise, or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e with the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument, specifying a URL from which to download a malicious file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e initiates an HTTP or HTTPS request to the specified URL.\u003c/li\u003e\n\u003cli\u003eThe remote server responds with the file content, which \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e saves to disk.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes the downloaded file (e.g., a malicious script or executable).\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as establishing persistence, escalating privileges, or deploying further malware.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network, accessing sensitive data and systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to download and execute arbitrary files on a Windows system, leading to potential compromise of the host and the network. This can result in data theft, system damage, or ransomware infection. Due to the legitimate nature of the \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e utility, this technique can bypass security controls and detection mechanisms, increasing the likelihood of successful exploitation. While the exact number of victims is unknown, any Windows system where an attacker can execute commands is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote File Download via Desktopimgdownldr Utility\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e with the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e to identify suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure sufficient data is available for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e downloading files from external URLs to determine if they are malicious.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables in sensitive environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-desktopimgdownldr-remote-file-copy/","summary":"The desktopimgdownldr utility can be abused to download remote files, potentially bypassing standard download restrictions and acting as an alternative to certutil for malware or tool deployment.","title":"Remote File Download via Desktopimgdownldr Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-desktopimgdownldr-remote-file-copy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","data-staging","windows","hidden-share"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies attempts to copy files to hidden network shares in Windows environments, which can be indicative of lateral movement or data staging by malicious actors. Attackers may leverage hidden shares, typically used for legitimate administrative purposes, to move laterally within a network or to stage data for exfiltration without being easily detected. The rule focuses on detecting the use of command-line tools such as cmd.exe and powershell.exe with arguments that specify the copying of files to network paths that match a hidden share pattern (e.g., \u003ccode\u003e\\\\\\\\*\\\\\\\\*$\u003c/code\u003e). This activity helps identify suspicious file transfer operations that deviate from normal administrative or user behavior. The rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses cmd.exe or powershell.exe to execute a file copy command.\u003c/li\u003e\n\u003cli\u003eThe command line includes arguments to copy files to a hidden network share (e.g., \u003ccode\u003e\\\\\\\\\u0026lt;server\u0026gt;\\\\\u0026lt;hidden_share\u0026gt;$\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecopy\u003c/code\u003e, \u003ccode\u003emove\u003c/code\u003e, \u003ccode\u003ecp\u003c/code\u003e, or \u003ccode\u003emv\u003c/code\u003e commands are used to transfer the file.\u003c/li\u003e\n\u003cli\u003eThe target hidden share is accessed using the compromised account\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe file is successfully copied to the hidden share.\u003c/li\u003e\n\u003cli\u003eThe attacker may then access the copied file from another compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to exfiltrate the staged data or uses the copied files for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, lateral movement to other systems within the network, and potential data exfiltration. While the number of victims and specific sectors targeted are not specified, a successful compromise can significantly impact an organization\u0026rsquo;s data security and overall network integrity. The impact includes potential data loss, reputational damage, and disruption of normal business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Remote File Copy to Hidden Share\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect suspicious file copy activities.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the command-line arguments used in file copy operations, activating the rule above.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access, as described in the investigation guide.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process details (cmd.exe, powershell.exe) and the network share path, as outlined in the investigation guide.\u003c/li\u003e\n\u003cli\u003eCorrelate events with other logs or alerts from the same host or user to identify any additional suspicious activities, enhancing the detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-remote-file-copy-hidden-share/","summary":"This rule detects remote file copy attempts to hidden network shares, which may indicate lateral movement or data staging activity, by identifying suspicious file copy operations using command-line tools like cmd.exe and powershell.exe focused on hidden share patterns.","title":"Remote File Copy to a Hidden Share","url":"https://feed.craftedsignal.io/briefs/2024-01-03-remote-file-copy-hidden-share/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft Defender XDR","Commvault","Nvidia Display Driver","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","appinit-dlls","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Commvault","Nvidia","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe AppInit DLLs mechanism allows dynamic-link libraries (DLLs) to be loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. This mechanism is intended for customization of the user interface and behavior of Windows-based applications. However, attackers can abuse this by adding malicious DLLs to the registry locations associated with AppInit DLLs. This enables them to execute code with elevated privileges, similar to process injection, and maintain a persistent presence on the compromised machine. This technique is often used to maintain access after initial compromise. Detection focuses on registry modifications to the relevant keys, excluding known legitimate processes to minimize false positives. The referenced Elastic rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a vulnerability, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the AppInit DLLs registry keys: \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\u003c/code\u003e or \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eAppInit_DLLs\u003c/code\u003e registry value to include the path to their malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s DLL is placed on the filesystem, typically in a location where it will persist across reboots.\u003c/li\u003e\n\u003cli\u003eAny new process that loads user32.dll will automatically load the attacker\u0026rsquo;s malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the newly created process.\u003c/li\u003e\n\u003cli\u003eThe attacker can use this code execution to perform further actions, such as installing backdoors or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system through the malicious DLL loaded into every user interface process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within the context of any process that loads \u003ccode\u003euser32.dll\u003c/code\u003e. This provides a persistent mechanism for maintaining access to the compromised system. The attacker gains code execution with elevated privileges, similar to process injection. This can lead to data theft, system compromise, or further lateral movement within the network. While no specific victim counts are mentioned, the widespread use of Windows makes this a potentially high-impact vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications to the \u003ccode\u003eAppInit_DLLs\u003c/code\u003e value in \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\u003c/code\u003e and \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\u003c/code\u003e using the \u0026ldquo;Registry Persistence via AppInit DLL Modification\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the data required for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Registry Persistence via AppInit DLL Modification\u0026rdquo; Sigma rule to your SIEM and tune the filter to exclude known-good DLL paths in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the parent process and the DLL being loaded.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-appinit-dll-persistence/","summary":"Modification of the AppInit DLLs registry keys on Windows systems allows attackers to execute code in every process that loads user32.dll, establishing persistence and potentially escalating privileges.","title":"Registry Persistence via AppInit DLL Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-appinit-dll-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","appcert-dll"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe rule detects attempts to maintain persistence by creating or modifying registry keys associated with AppCert DLLs on Windows systems. AppCert DLLs are loaded by every process that uses common API functions to create processes, making them a viable target for persistence. Adversaries can exploit this by inserting malicious DLL paths into the registry, ensuring their code executes persistently across system reboots. This technique is often used for privilege escalation and persistence. The rule specifically looks for changes in the registry path \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*\u003c/code\u003e, as well as the equivalent \u003ccode\u003e\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\...\u003c/code\u003e path. This activity matters because it can lead to stealthy and persistent malware infections. The rule is designed for use with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Crowdstrike, and Sysmon. The detection logic was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains necessary privileges to modify the Windows Registry, potentially requiring administrator rights.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a registry key under \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*\u003c/code\u003e to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is placed on the file system, often in a location that appears legitimate or is easily accessible.\u003c/li\u003e\n\u003cli\u003eAny process that uses the standard Windows API to create new processes will load the specified DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes its payload, which could include establishing persistence, injecting into other processes, or performing other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious DLL is loaded every time a new process is created.\u003c/li\u003e\n\u003cli\u003eThe final objective is to maintain long-term access to the compromised system, potentially escalating privileges and moving laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistent code execution on the system. This can lead to complete system compromise, data theft, or further propagation of malware within the network. The use of AppCert DLLs allows the malicious code to run in the context of nearly every process, making detection and removal more challenging. Without proper detection and response mechanisms, an attacker can maintain control of the system indefinitely.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging and configure it to monitor the relevant AppCertDLLs registry paths to capture the necessary events for the rules (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect AppCert DLL Registry Modification\u003c/code\u003e to your SIEM to detect unauthorized modifications to the AppCertDLLs registry keys (Rule: Detect AppCert DLL Registry Modification).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule \u003ccode\u003eDetect AppCert DLL Registry Modification\u003c/code\u003e to determine the legitimacy of the registry modifications, using the provided triage steps as a guide.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for malicious DLLs located in the file system using updated antivirus and anti-malware tools, focusing on DLLs referenced in the AppCertDLLs registry keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-appcert-dll-persistence/","summary":"Detection of registry modifications related to AppCert DLLs, a persistence mechanism where malicious DLLs are loaded by every process using common API functions.","title":"Registry Persistence via AppCert DLL Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-appcert-dll-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","defense-evasion","rdp","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may enable Remote Desktop Protocol (RDP) to facilitate lateral movement within a compromised network. By modifying the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key to a value of \u003ccode\u003e0\u003c/code\u003e, attackers can enable remote desktop connections, allowing them to access systems remotely. This technique can be employed using remote registry manipulation or tools like PsExec. The modification of the registry key is a common tactic used by ransomware operators and other threat actors to gain unauthorized access to victim servers. This activity can be performed to enable remote access for initial access or to regain access after persistence mechanisms have failed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like PsExec or leverages remote registry modification capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key, setting its value to \u003ccode\u003e0\u003c/code\u003e. This key is typically located in \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s RDP service is enabled or re-enabled as a result of the registry change.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to connect to the now-enabled RDP service using valid or brute-forced credentials.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains interactive access to the system via RDP.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, elevates privileges, and moves laterally to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware, exfiltrates data, or achieves other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key allows unauthorized remote access to systems, potentially leading to lateral movement, data theft, or ransomware deployment. Organizations could suffer significant financial losses, reputational damage, and operational disruption. The scope of the impact depends on the attacker\u0026rsquo;s objectives and the level of access they gain within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;RDP Enabled via Registry\u0026rdquo; to detect modifications to the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key (rules).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious use of \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys related to RDP (rules).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and firewall rules to restrict RDP traffic to authorized hosts (overview).\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to users and ensure the principle of least privilege is enforced (overview).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications (setup).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to registry modifications on critical systems (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rdp-registry-enabled/","summary":"An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.","title":"RDP Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-registry-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["credential-access","webdav","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can exploit WebDAV by injecting WebDAV paths into files or features opened by a victim user, leading to NTLM credential leakage through forced authentication. This technique relies on the victim\u0026rsquo;s system attempting to authenticate against a malicious WebDAV server when accessing a file or link containing a WebDAV path. This threat is particularly relevant for defenders because it can lead to unauthorized access to sensitive information and potential lateral movement within the network. The attack leverages \u003ccode\u003erundll32.exe\u003c/code\u003e to initiate the WebDAV connection, making it difficult to distinguish from legitimate system processes. The Elastic detection rule identifies rare WebDAV connection attempts to uncover potential credential access attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious document or link containing a WebDAV path.\u003c/li\u003e\n\u003cli\u003eThe victim user opens the malicious document or clicks the link.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to resolve the WebDAV path using \u003ccode\u003erundll32.exe\u003c/code\u003e and the \u003ccode\u003eDavSetCookie\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe system initiates an authentication attempt with the malicious WebDAV server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the NTLM credentials during the authentication handshake.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the captured NTLM credentials to access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise and potential lateral movement within the victim\u0026rsquo;s network. An attacker could gain unauthorized access to sensitive data and systems, potentially leading to data exfiltration, system compromise, or further attacks. This can impact organizations of any size and industry that rely on NTLM authentication. The severity depends on the user\u0026rsquo;s permissions and the resources they can access with their compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect suspicious WebDAV connections initiated via \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on rare or unusual WebDAV destinations.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003erundll32.exe\u003c/code\u003e with command-line arguments containing \u0026ldquo;DavSetCookie\u0026rdquo;, focusing on connections to external domains.\u003c/li\u003e\n\u003cli\u003eConduct regular security awareness training to educate users about the risks of opening unsolicited documents or clicking suspicious links.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rare-webdav/","summary":"This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.","title":"Rare Connection to WebDAV Target via Rundll32","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-webdav/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Defend","Elastic Endpoint Security","CrowdStrike Falcon","SentinelOne Cloud Funnel","Windows Security Event Logs","winlogbeat"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","windows","wmi"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eWindows Management Instrumentation (WMI) provides a powerful framework for managing Windows systems, but adversaries can abuse its capabilities to establish persistence. By creating WMI event subscriptions, attackers can execute arbitrary code in response to defined system events. This technique involves creating event filters, providers, consumers, and bindings that automatically run malicious code. This can be achieved through tools like \u003ccode\u003ewmic.exe\u003c/code\u003e, which allows the creation of event consumers such as \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e. Successful exploitation of WMI for persistence allows attackers to maintain unauthorized access to a compromised system, even after reboots or other system changes. This activity has been observed across various environments, highlighting the need for robust detection mechanisms to identify and prevent WMI-based persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewmic.exe\u003c/code\u003e to create a WMI event filter that defines a specific event to monitor.\u003c/li\u003e\n\u003cli\u003eA WMI event consumer, such as \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e, is created using \u003ccode\u003ewmic.exe\u003c/code\u003e specifying the malicious code or script to execute when the event occurs.\u003c/li\u003e\n\u003cli\u003eA WMI binding is established between the event filter and the event consumer using \u003ccode\u003ewmic.exe\u003c/code\u003e, linking the event to the action.\u003c/li\u003e\n\u003cli\u003eThe malicious WMI event subscription is activated, monitoring for the defined event.\u003c/li\u003e\n\u003cli\u003eWhen the specified event occurs, the WMI service triggers the execution of the associated malicious code or script through the event consumer.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the system, as the WMI event subscription will re-activate after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform additional malicious activities, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of WMI for persistence can allow an attacker to maintain long-term, unauthorized access to a compromised system. This can result in data theft, system compromise, and further malicious activities. While the exact number of victims is not specified in the source, the broad applicability of this technique means that many Windows systems are potentially at risk. If the attack succeeds, the attacker gains a foothold on the system that is difficult to detect and remove, which can lead to significant operational disruption and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and monitor for \u003ccode\u003ewmic.exe\u003c/code\u003e with command-line arguments related to creating event consumers, specifically \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e, to trigger the Sigma rule \u0026ldquo;Detect Suspicious WMIC Process\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious WMI event subscription creation.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the provided documentation to triage and analyze potential WMI persistence attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs and Sysmon for events related to WMI activity for broader coverage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-persistence/","summary":"Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.","title":"Persistence via WMI Event Subscription","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","defense-evasion","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to the \u003ccode\u003eNullSessionPipe\u003c/code\u003e registry setting in Windows. This setting defines named pipes that can be accessed without authentication, facilitating anonymous connections. Adversaries may exploit this by modifying the registry to enable lateral movement, allowing unauthorized access to network resources. By adding specific pipes to the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key, an attacker can make services accessible without requiring authentication. This rule focuses on flagging modifications that introduce new accessible pipes, which could indicate malicious intent. The targeted configuration is located under \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u003c/code\u003e. The registry key \u003ccode\u003eNullSessionPipes\u003c/code\u003e is of particular interest when its values change.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry, specifically the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\NullSessionPipes\u003c/code\u003e key. They add a new pipe name to this key, which will allow unauthenticated access to that named pipe.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry, potentially using commands like \u003ccode\u003ereg add\u003c/code\u003e or \u003ccode\u003eSet-ItemProperty\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA remote system attempts to connect to the newly accessible named pipe on the compromised system without authenticating.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the now-accessible service or application associated with the named pipe to execute commands or transfer data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this access to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry setting can lead to unauthorized access to sensitive resources and lateral movement within the network. By enabling anonymous access to named pipes, attackers can potentially bypass authentication mechanisms and gain control over critical systems. While the direct number of victims is not specified, the impact can be significant, particularly in organizations where shared resources and services rely on secure authentication protocols.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing to capture changes to the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key. This will allow you to detect unauthorized modifications as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;NullSessionPipe Registry Modification\u0026rdquo; to your SIEM and tune for your environment to identify malicious activity related to named pipe modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific named pipes being added or modified in the registry event details, as detailed in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the legitimacy of existing entries in the \u003ccode\u003eNullSessionPipes\u003c/code\u003e registry key to identify and remove any unauthorized pipes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-nullsessionpipe-modification/","summary":"Attackers modify the NullSessionPipe registry setting in Windows to enable anonymous access to named pipes, potentially facilitating lateral movement and unauthorized access to network resources.","title":"NullSessionPipe Registry Modification for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-nullsessionpipe-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange Server","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["exchange","activesync","powershell","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the use of the Exchange PowerShell cmdlet, \u003ccode\u003eSet-CASMailbox\u003c/code\u003e, to add a new ActiveSync allowed device. Attackers may target user email to collect sensitive information by adding unauthorized devices to a user\u0026rsquo;s allowed ActiveSync devices. The rule focuses on detecting suspicious PowerShell activity by monitoring for specific command patterns indicative of unauthorized device additions. This activity can lead to persistent access to sensitive email data, bypassing normal authentication controls. The original Elastic detection rule was created on 2020/12/15 and updated on 2026/05/04. This matters for defenders because it highlights a persistence mechanism that can be difficult to detect through traditional means.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a privileged account with Exchange management permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute the \u003ccode\u003eSet-CASMailbox\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e attribute for a target user\u0026rsquo;s mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a rogue device ID to the list of allowed devices.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a mobile device with the rogue device ID to synchronize with the target mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the target user\u0026rsquo;s email, calendar, and contacts.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence even after password changes by continuing to synchronize via the added device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive email data, including confidential communications, financial information, and personal data. This can result in data breaches, compliance violations, and reputational damage. The scope of the impact depends on the privileges of the compromised account and the sensitivity of the data contained in the targeted mailboxes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eActiveSyncAllowedDeviceID Added via PowerShell\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture PowerShell commands for the rule above.\u003c/li\u003e\n\u003cli\u003eReview Exchange audit logs for instances of \u003ccode\u003eSet-CASMailbox\u003c/code\u003e being used to modify \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all accounts, especially those with Exchange management privileges.\u003c/li\u003e\n\u003cli\u003eRegularly audit ActiveSync device configurations to identify unauthorized devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-activesync-device-added/","summary":"The rule detects the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially allowing attackers to gain persistent access to sensitive email data by adding unauthorized devices.","title":"New ActiveSync Allowed Device Added via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-activesync-device-added/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used by developers to build applications. However, adversaries are known to abuse MSBuild to execute malicious code, leveraging its trusted status to bypass security measures. This technique allows attackers to perform various actions on compromised systems while blending in with legitimate system activity. The observed behavior involves MSBuild being started by system processes like Explorer (explorer.exe) or Windows Management Instrumentation (WMI, wmiprvse.exe). Defenders should be aware of this unusual activity as it signifies a potential defense evasion tactic and unauthorized code execution within the targeted environment. This activity has been observed across environments leveraging Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, CrowdStrike, and standard Windows event logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script or payload that invokes MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eThe script or payload is executed by a system process like explorer.exe or wmiprvse.exe, which is highly unusual for typical MSBuild usage.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe starts with specific command-line arguments that dictate the build process, often involving malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code is embedded within an MSBuild project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild.exe executes the malicious code as part of the build process.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining remote access, exfiltrating data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a variety of negative outcomes, including unauthorized code execution, system compromise, data theft, and potentially complete system takeover. The use of MSBuild as a proxy execution method allows attackers to evade traditional security controls and blend in with legitimate system activities. This can result in delayed detection and increased dwell time, amplifying the potential damage. Since MSBuild is a trusted Microsoft utility, its abuse can make malicious activity harder to identify and respond to.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by a System Process\u0026rdquo; to your SIEM to detect instances of MSBuild.exe being launched by explorer.exe or wmiprvse.exe (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of MSBuild.exe executions (reference setup instructions in the source URL).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild.exe started by explorer.exe or wmiprvse.exe to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.\u003c/li\u003e\n\u003cli\u003eReview and whitelist any legitimate scripts or administrative tools that leverage MSBuild for authorized tasks to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-msbuild-system-process/","summary":"Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.","title":"MSBuild Started by System Process for Defense Evasion and Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-system-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Microsoft Defender","Elastic Defend","Elastic Endgame","Trend Micro Security Agent"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior within compromised Windows environments. This is often achieved by modifying specific registry keys that control the behavior and functionality of Defender components, such as real-time monitoring, exploit protection, and tamper protection itself. Such actions can significantly reduce the effectiveness of endpoint security, allowing malicious activities to proceed undetected. The references point to techniques that disable PUA protection, tamper protection, memory integrity, and real-time protection. This behavior is observed across various attack scenarios, including ransomware deployment and cryptocurrency mining campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unspecified vector (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains elevated privileges on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses an administrative tool like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker disables real-time monitoring by setting \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring\u003c/code\u003e to 1.\u003c/li\u003e\n\u003cli\u003eThe attacker disables tamper protection by setting \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features\\TamperProtection\u003c/code\u003e to 0.\u003c/li\u003e\n\u003cli\u003eThe attacker disables PUA Protection by setting \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection\u003c/code\u003e to 0.\u003c/li\u003e\n\u003cli\u003eWith Defender weakened, the attacker executes malicious payloads, such as ransomware or cryptocurrency miners.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with Microsoft Defender can lead to a significant degradation of endpoint security posture. This can result in undetected malware infections, data breaches, and system compromise. Disabling Defender features can allow attackers to establish persistence, escalate privileges, and deploy malicious payloads without triggering alerts. The impact can range from individual system compromise to widespread network infection, depending on the attacker\u0026rsquo;s objectives and the extent of the tampering.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Windows Defender Tampering - Disable Realtime Monitoring\u0026rdquo; to your SIEM to detect modifications to the \u003ccode\u003eDisableRealtimeMonitoring\u003c/code\u003e registry value.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Windows Defender Tampering - Disable Tamper Protection\u0026rdquo; to detect modifications to the \u003ccode\u003eTamperProtection\u003c/code\u003e registry value.\u003c/li\u003e\n\u003cli\u003eMonitor registry modification events, specifically targeting keys associated with Microsoft Defender settings as described in the rule query.\u003c/li\u003e\n\u003cli\u003eInvestigate any process modifying Windows Defender registry settings that are not explicitly authorized, referencing the process exclusions in the rule query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-tampering/","summary":"Adversaries may disable or tamper with Microsoft Defender features via registry modifications to evade detection and conceal malicious behavior on Windows systems.","title":"Microsoft Defender Tampering via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Windows Subsystem for Linux","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows","wsl"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects attempts to execute programs on the host from the Windows Subsystem for Linux (WSL). Adversaries may enable and use WSL for Linux to avoid detection by executing malicious scripts or binaries, bypassing traditional Windows security mechanisms. The rule identifies suspicious executions initiated by WSL processes, excluding known safe executables, to flag potential misuse for defense evasion. This detection focuses on identifying when a process is spawned by \u003ccode\u003ewsl.exe\u003c/code\u003e or \u003ccode\u003ewslhost.exe\u003c/code\u003e and is not within a known good path. The rule is designed to work with data from Elastic Defend, Crowdstrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the Windows Subsystem for Linux (WSL).\u003c/li\u003e\n\u003cli\u003eThe attacker transfers or creates malicious scripts or binaries within the WSL environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious script or binary using a Linux shell within WSL, such as bash.\u003c/li\u003e\n\u003cli\u003eThe WSL environment interacts with the Windows host to execute commands or access resources.\u003c/li\u003e\n\u003cli\u003eThe executed commands perform malicious actions, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages WSL\u0026rsquo;s integration with Windows to evade traditional Windows-based security measures.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the system or network while remaining undetected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute malicious code while potentially evading traditional Windows-based security measures. This can lead to system compromise, data theft, or further propagation of malware within the network. The rule\u0026rsquo;s \u003ccode\u003emedium\u003c/code\u003e severity reflects the potential for significant impact, necessitating prompt investigation and response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eExecution via Windows Subsystem for Linux\u003c/code\u003e to your SIEM to detect potential malicious activity originating from WSL.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) or Windows process creation logs to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the executed process, parent process (\u003ccode\u003ewsl.exe\u003c/code\u003e or \u003ccode\u003ewslhost.exe\u003c/code\u003e), and associated user account.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts with other security events from Microsoft Defender XDR, SentinelOne, or Crowdstrike to identify related suspicious activities or patterns.\u003c/li\u003e\n\u003cli\u003eImplement exceptions for known administrative scripts or development tools that are frequently executed via WSL to reduce false positives, as outlined in the rule\u0026rsquo;s analysis.\u003c/li\u003e\n\u003cli\u003eMonitor the WSL configuration and installed Linux distributions on affected systems to identify unauthorized changes or installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-child-process-execution/","summary":"This detection identifies attempts to execute programs from the Windows Subsystem for Linux (WSL) to evade detection by flagging suspicious executions initiated by WSL processes and excluding known safe executables.","title":"Execution via Windows Subsystem for Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-child-process-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","dll-hijacking"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of the Windows Side-by-Side (SxS) feature to execute malicious code. Attackers can place a malicious DLL file within an application\u0026rsquo;s local SxS folder (application.exe.local) and trick the Windows module loader into prioritizing it over legitimate system DLLs. This technique, known as DLL hijacking or DLL redirection, allows adversaries to gain arbitrary code execution within the context of the targeted application. This technique may be used to bypass security controls, escalate privileges, or establish persistence. The detection focuses on file events related to DLLs within these specific SxS folders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a legitimate application with an associated SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a malicious DLL file.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL file in the application\u0026rsquo;s SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eA legitimate application attempts to load a DLL.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the malicious DLL in the SxS folder, the Windows module loader prioritizes the attacker\u0026rsquo;s DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is loaded and executed by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution within the context of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution within the targeted application\u0026rsquo;s context. This can result in privilege escalation, data theft, system compromise, or the establishment of persistence mechanisms. While the number of directly affected organizations is unknown, this technique can be used against a wide range of applications on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events for DLL files in \u003ccode\u003eC:\\*\\*.exe.local\\*.dll\u003c/code\u003e and \u003ccode\u003e\\\\Device\\\\HarddiskVolume*\\\\*\\\\*.exe.local\\\\*.dll\u003c/code\u003e using the provided Sigma rule to detect potential malicious DLL planting.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to improve visibility into file creation events, as noted in the \u003ca href=\"https://ela.st/sysmon-event-11-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the DLL creation event and the involved application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-local-sxs-dll-execution/","summary":"This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.","title":"Execution via Local SxS Shared Module","url":"https://feed.craftedsignal.io/briefs/2024-01-03-local-sxs-dll-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["collection","execution","powershell","exchange","mailbox"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may target user email to collect sensitive information. The \u003ccode\u003eNew-MailBoxExportRequest\u003c/code\u003e cmdlet is used to export the contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. This activity is typically performed using PowerShell or similar scripting tools and can be difficult to detect without specific monitoring in place. The activity may be part of a larger attack campaign targeting sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system with sufficient privileges to access Exchange PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Exchange server using PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet to initiate the export of a target mailbox to a .pst file. The command may include parameters to filter specific content.\u003c/li\u003e\n\u003cli\u003eThe Exchange server processes the export request, creating a .pst file containing the mailbox data.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported .pst file from the designated file path.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress and archive the .pst file to reduce its size for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the .pst file to an external location controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the .pst file to extract sensitive information such as credentials, financial data, or intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to gain access to sensitive information contained within the exported mailboxes. This could lead to financial loss, reputational damage, or compromise of intellectual property. Depending on the scope of the export requests, multiple mailboxes may be compromised, impacting a large number of users. The impact is significant because email often contains highly sensitive business communications and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor PowerShell execution with command-line arguments (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the use of \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet in PowerShell commands.\u003c/li\u003e\n\u003cli\u003eReview the privileges of users with the \u0026ldquo;Mailbox Import Export\u0026rdquo; privilege to ensure that the least privilege principle is being followed.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for PowerShell activity related to mailbox export requests (Data Source: Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to identify potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-exchange-mailbox-export/","summary":"Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.","title":"Exchange Mailbox Export via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-exchange-mailbox-export/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies Windows Registry modifications used to conceal encoded portable executables, a tactic employed by adversaries to evade traditional disk-based detection mechanisms. The rule focuses on detecting registry entries with data strings that match known encoded executable patterns. This technique allows attackers to store malicious code within the registry, making it more difficult to detect using standard file-based scanning methods. The rule is designed to work with Elastic Defend, but also supports data from third-party EDR solutions, including CrowdStrike, Microsoft Defender XDR, and SentinelOne. The detection logic focuses on identifying registry entries with data resembling encoded executables.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool, such as PowerShell or cmd.exe, to interact with the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker encodes a malicious executable using tools like \u003ccode\u003ecertutil\u003c/code\u003e or custom encoding scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a registry key using \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe encoded executable is written to the registry key\u0026rsquo;s data value. The data string often starts with \u0026ldquo;TVqQAAMAAAAEAAAA*\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses another script or command to decode the executable from the registry.\u003c/li\u003e\n\u003cli\u003eThe decoded executable is then executed in memory or written to disk for execution.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as establishing persistence, escalating privileges, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to evade traditional disk-based security measures, enabling them to execute malicious code undetected. Attackers can use this technique to establish persistence, escalate privileges, or deploy malware, including ransomware. The rule helps defenders identify systems where this defense evasion technique is being employed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect encoded executables stored in the registry.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules to determine if the registry modification is malicious.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) tools to further analyze suspicious processes associated with the registry modifications.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unauthorized executables, even if they are decoded from the registry.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-encoded-executable-registry/","summary":"This rule detects registry write modifications hiding encoded portable executables, indicative of adversary defense evasion by avoiding storing malicious content directly on disk.","title":"Encoded Executable Stored in the Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-encoded-executable-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","registry"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eLocal Security Authority (LSA) protection is a security feature in Windows that prevents unauthorized processes from accessing sensitive information stored in LSASS memory. This protection is enabled through the RunAsPPL registry key. Adversaries may attempt to disable LSA protection by modifying this registry key, allowing them to more easily access credentials stored in LSASS. This technique can be used as part of a broader attack to escalate privileges and move laterally within a network. The rule detects modifications to the \u003ccode\u003eRunAsPPL\u003c/code\u003e registry key that weaken LSA protection. This involves monitoring changes to the registry path \u003ccode\u003e*\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\RunAsPPL\u003c/code\u003e and alerting when the registry data does not contain values that enable protected LSASS modes (\u0026ldquo;1\u0026rdquo;, \u0026ldquo;0x00000001\u0026rdquo;, \u0026ldquo;2\u0026rdquo;, \u0026ldquo;0x00000002\u0026rdquo;).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to an administrator account, if necessary, to gain the required permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eRunAsPPL\u003c/code\u003e registry key located at \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\Lsa\u003c/code\u003e (or similar path under \u003ccode\u003eControlSet00x\u003c/code\u003e) to a value that disables LSA protection (e.g., setting it to 0). This is often achieved using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker may stage the system for a reboot to apply the registry change.\u003c/li\u003e\n\u003cli\u003eAfter the system reboots, LSASS starts without Protected Process Light (PPL) protection, allowing the attacker to access its memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools like \u003ccode\u003eMimikatz\u003c/code\u003e to extract credentials from the unprotected LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of LSA protection allows attackers to easily extract credentials from LSASS memory. This can lead to widespread compromise of user and service accounts, enabling lateral movement and privilege escalation within the network. The impact could range from data breaches and financial loss to complete system compromise and disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to detect changes to the \u003ccode\u003eRunAsPPL\u003c/code\u003e registry key (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disabling Lsa Protection via Registry Modification\u0026rdquo; to your SIEM to detect malicious modifications to the \u003ccode\u003eRunAsPPL\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process making the change, the user account, and any associated processes (see the \u0026ldquo;investigation_fields\u0026rdquo; in the source).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process activity after registry modifications, such as the execution of credential dumping tools (e.g., Mimikatz).\u003c/li\u003e\n\u003cli\u003eRegularly review and enforce the principle of least privilege to minimize the number of accounts with permissions to modify sensitive registry keys.\u003c/li\u003e\n\u003cli\u003eUse host isolation when unauthorized LSA-protection weakening is detected and confirmed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lsass-ppl-disable/","summary":"Adversaries may modify the RunAsPPL registry key to disable LSA protection, which prevents nonprotected processes from reading memory and injecting code, potentially leading to credential access.","title":"Disabling LSA Protection via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-ppl-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Endgame","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","command-line","unicode","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly employing Unicode modifier letters to obfuscate command-line arguments, thereby bypassing traditional string-based detection mechanisms. This technique involves replacing standard ASCII characters with visually similar Unicode characters, making it difficult for simple pattern-matching rules to identify malicious commands. The obfuscation targets common Windows utilities such as \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ePowerShell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, and others frequently abused in post-exploitation scenarios. Defenders need to implement more sophisticated detection methods that account for Unicode normalization or character range analysis to identify and mitigate this threat. This technique has become more prevalent in the last year as attackers seek to evade common detection strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a command-line utility like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eObfuscation: The command-line arguments are obfuscated by replacing ASCII characters with Unicode modifier letters.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The obfuscation allows the attacker to evade simple string-based detections that would normally flag the command as malicious.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may use the obfuscated command to escalate privileges or gain access to sensitive resources.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence by creating a scheduled task or modifying the registry using obfuscated commands.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker may use the obfuscated command to move laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful command obfuscation can lead to a significant compromise of Windows systems. Attackers can bypass security controls and execute malicious code undetected, potentially leading to data theft, system disruption, or ransomware deployment. The obfuscation makes it harder for security teams to identify and respond to attacks, increasing the dwell time and potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the presence of Unicode modifier letters in command lines (references: Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments for analysis (references: Sysmon setup instructions).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and analyze the raw command lines to identify the true intent of the command (references: Triage and Analysis section of the source).\u003c/li\u003e\n\u003cli\u003eConsider implementing Unicode normalization techniques to remove the obfuscation before analyzing command lines.\u003c/li\u003e\n\u003cli\u003eMonitor the listed processes (\u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, etc.) more closely for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unicode-cmd-obfuscation/","summary":"Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.","title":"Command Obfuscation via Unicode Modifier Letters","url":"https://feed.craftedsignal.io/briefs/2024-01-unicode-cmd-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","indirect-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThe Windows \u003ccode\u003eforfiles\u003c/code\u003e utility is a legitimate command-line tool that allows batch processing of files. However, adversaries can abuse \u003ccode\u003eforfiles\u003c/code\u003e to execute arbitrary commands indirectly, bypassing security controls and evading detection. This technique, known as \u0026ldquo;Indirect Command Execution,\u0026rdquo; involves using \u003ccode\u003eforfiles\u003c/code\u003e to invoke other processes or run scripts, effectively hiding the malicious intent behind a trusted Windows utility. This method can be used to download payloads, execute scripts, or perform other malicious activities under the guise of legitimate \u003ccode\u003eforfiles\u003c/code\u003e activity. The attacks leveraging this technique have been observed since at least 2025. This matters for defenders because it allows attackers to blend in with normal system activity and makes it harder to identify malicious behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unknown vector (e.g., phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003eforfiles.exe\u003c/code\u003e to execute a command by using the \u003ccode\u003e/c\u003c/code\u003e or \u003ccode\u003e-c\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the command to execute a script, download a file, or perform another malicious action.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eforfiles.exe\u003c/code\u003e launches the specified command, which could involve PowerShell, cmd.exe, or another scripting engine.\u003c/li\u003e\n\u003cli\u003eThe script executes, downloading a malicious payload from an external source.\u003c/li\u003e\n\u003cli\u003eThe payload is saved to disk and executed, establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a compromised system, allowing attackers to perform various malicious activities, including data theft, malware installation, and lateral movement within the network. The impact is dependent on the attacker\u0026rsquo;s objectives and the level of access gained. By using \u003ccode\u003eforfiles\u003c/code\u003e, attackers can bypass traditional security measures and remain undetected for longer periods. The severity is medium as it requires initial access and relies on a dual-use tool.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCommand Execution via ForFiles\u003c/code\u003e to your SIEM to detect suspicious command execution patterns involving \u003ccode\u003eforfiles.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for instances of \u003ccode\u003eforfiles.exe\u003c/code\u003e with the \u003ccode\u003e/c\u003c/code\u003e or \u003ccode\u003e-c\u003c/code\u003e arguments, excluding known legitimate uses as specified in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eforfiles.exe\u003c/code\u003e execution where the command line contains suspicious parameters or attempts to execute scripts from unusual locations (e.g., the user\u0026rsquo;s temporary directory).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to gain more detailed information about process executions, including command-line arguments and parent-child relationships.\u003c/li\u003e\n\u003cli\u003eReview and audit the usage of \u003ccode\u003eforfiles.exe\u003c/code\u003e across the environment to identify any unauthorized or suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-forfiles-indirect-exec/","summary":"Adversaries may use the Windows forfiles utility to proxy command execution via a trusted parent process, potentially evading detection.","title":"Command Execution via ForFiles Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-03-forfiles-indirect-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["active-directory","discovery","reconnaissance","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eADExplorer is an advanced Active Directory (AD) viewer and editor, it includes the ability to save snapshots of an AD database for offline viewing and comparisons. Adversaries may abuse this utility to perform domain reconnaissance, gather sensitive information about the AD structure, user accounts, and group memberships. The execution of ADExplorer is a potential indicator of malicious activity, especially when observed in environments where its use is not typical or when executed by unauthorized users. This activity can lead to further exploitation, such as privilege escalation and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the ADExplorer utility (ADExplorer.exe) to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes ADExplorer.exe to begin enumeration of the Active Directory environment.\u003c/li\u003e\n\u003cli\u003eADExplorer interacts with the Active Directory domain controllers, querying information about users, groups, computers, and organizational units.\u003c/li\u003e\n\u003cli\u003eThe attacker may use ADExplorer to save snapshots of the AD database for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts, critical assets, and potential vulnerabilities within the AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to plan further attacks, such as lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of ADExplorer by malicious actors can lead to the discovery of sensitive information about the Active Directory environment. This information can be leveraged to facilitate lateral movement, privilege escalation, and data exfiltration. While the initial risk score is low, the reconnaissance activity enables follow-on attacks that can have severe consequences, potentially leading to full domain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Process Name\u003c/code\u003e to detect the execution of ADExplorer based on process name.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Original File Name\u003c/code\u003e to detect the execution of ADExplorer based on the process\u0026rsquo;s original file name.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on Windows endpoints for the execution of ADExplorer.exe or processes with an original file name of \u0026ldquo;AdExp\u0026rdquo; to detect potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any execution of ADExplorer by non-administrator accounts.\u003c/li\u003e\n\u003cli\u003eReview ADExplorer use and restrict its usage to authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-adexplorer-execution/","summary":"Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.","title":"Active Directory Discovery via ADExplorer Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-adexplorer-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","registry","ifeo","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eImage File Execution Options (IFEO) injection is a Windows feature that allows developers to debug applications by specifying an alternative executable to run. Attackers abuse this feature by modifying the Debugger and SilentProcessExit registry keys, setting a debugger to execute malicious code instead of the intended application. This technique is used to establish persistence or evade defenses. The attack involves modifying registry keys under \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\u003c/code\u003e, \u003ccode\u003eHKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\u003c/code\u003e, \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\u003c/code\u003e, and \u003ccode\u003eHKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\u003c/code\u003e. This matters to defenders because successful IFEO injection can allow attackers to maintain persistent access to a system and execute malicious code without detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means (e.g., exploiting a vulnerability or using stolen credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative access, allowing modification of sensitive registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry, specifically the \u003ccode\u003eDebugger\u003c/code\u003e or \u003ccode\u003eMonitorProcess\u003c/code\u003e values within the IFEO or SilentProcessExit keys for a target executable (e.g., \u003ccode\u003enotepad.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDebugger\u003c/code\u003e or \u003ccode\u003eMonitorProcess\u003c/code\u003e value is set to point to a malicious executable.\u003c/li\u003e\n\u003cli\u003eWhen the target executable is launched by a user or system process, the malicious executable is launched instead.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as installing malware, stealing credentials, or establishing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence through the IFEO injection, as the malicious executable will continue to be launched whenever the target executable is run.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful IFEO injection can allow attackers to maintain persistent access to a system, execute malicious code without detection, and potentially compromise sensitive data. IFEO injection can lead to a full compromise of the affected system, potentially impacting all users and applications on the system. This technique is often used in conjunction with other attack methods to achieve broader objectives, such as data exfiltration or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing to monitor changes to the IFEO and SilentProcessExit registry keys, enabling detection of unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious registry modifications related to IFEO injection.\u003c/li\u003e\n\u003cli\u003eReview and update the exceptions list in the Sigma rules to account for legitimate uses of the Debugger and MonitorProcess registry keys, reducing false positives.\u003c/li\u003e\n\u003cli\u003eMonitor process execution and correlate with registry modifications to identify potentially malicious processes launched via IFEO injection.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-ifeo-injection/","summary":"Attackers can establish persistence and evade defenses by modifying the Debugger and SilentProcessExit registry keys to perform Image File Execution Options (IFEO) injection, allowing them to intercept file executions and run malicious code.","title":"Image File Execution Options (IFEO) Injection for Persistence and Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-ifeo-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","iis","httplogging","appcmd","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers with access to an Internet Information Services (IIS) server, potentially through a webshell or other compromised entry point, may disable HTTP logging as a defense evasion technique. This is typically achieved by using the \u003ccode\u003eappcmd.exe\u003c/code\u003e utility with specific arguments to modify the IIS configuration, preventing the server from recording HTTP requests and responses. Disabling logging makes it significantly harder for defenders to detect malicious activity, trace attacker actions, and perform effective incident response. This activity is a common tactic employed by threat actors to obscure their presence and maintain persistence within a compromised environment, particularly when deploying webshells or conducting lateral movement. This behavior is typically observed post-exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the IIS server, possibly via a webshell or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003eappcmd.exe\u003c/code\u003e to modify the IIS configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eappcmd.exe\u003c/code\u003e command includes arguments to disable HTTP logging, such as \u003ccode\u003e/dontLog*:*True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command targets specific sites, applications, or the entire server depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003cli\u003eIIS configuration files, such as \u003ccode\u003eapplicationHost.config\u003c/code\u003e or \u003ccode\u003eweb.config\u003c/code\u003e, are modified to reflect the changes.\u003c/li\u003e\n\u003cli\u003eHTTP logging is disabled, preventing the server from recording HTTP requests and responses.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious activities, such as deploying webshells, without generating HTTP logs.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistence and evades detection by preventing forensic analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of IIS HTTP logging can severely impair incident response capabilities. Organizations may be unable to detect malicious activity within their web infrastructure, leading to prolonged compromises and increased damage. This technique can be particularly damaging when attackers deploy webshells or conduct lateral movement within the network. Without HTTP logs, tracing attacker actions and identifying compromised systems becomes significantly more challenging. The impact can range from data breaches to system downtime and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;IIS HTTP Logging Disabled via AppCmd\u0026rdquo; to your SIEM to detect when \u003ccode\u003eappcmd.exe\u003c/code\u003e is used to disable HTTP logging.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with Event ID 1 to capture the execution of \u003ccode\u003eappcmd.exe\u003c/code\u003e with the relevant arguments, enabling detection via the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process of \u003ccode\u003eappcmd.exe\u003c/code\u003e and the user account under which it was executed.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to IIS configuration files (\u003ccode\u003eapplicationHost.config\u003c/code\u003e, \u003ccode\u003eweb.config\u003c/code\u003e) to detect unauthorized changes to logging settings.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configuration of IIS HTTP logging to ensure it remains enabled and properly configured.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-iis-http-logging-disabled/","summary":"An attacker with IIS server access can disable HTTP Logging using `appcmd.exe` to evade defenses and prevent forensic analysis, as detected by the execution of `appcmd.exe` with arguments to disable logging.","title":"IIS HTTP Logging Disabled via AppCmd","url":"https://feed.craftedsignal.io/briefs/2024-01-iis-http-logging-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","pass-the-ticket","mimikatz","rubeus"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThe creation of \u003ccode\u003e.kirbi\u003c/code\u003e files on Windows systems is a strong indicator of potential Kerberos ticket theft. These files are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks. Tools like Mimikatz and Rubeus are commonly used to export or dump Kerberos tickets, which are then saved as \u003ccode\u003e.kirbi\u003c/code\u003e files. Defenders should monitor the creation of these files, especially in unusual locations, and investigate the associated processes to determine if malicious activity is occurring. The rule provided is designed to detect these events across multiple data sources, providing a comprehensive approach to identifying this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a Kerberos ticket dumping tool, such as Mimikatz or Rubeus.\u003c/li\u003e\n\u003cli\u003eThe tool extracts Kerberos tickets from memory.\u003c/li\u003e\n\u003cli\u003eThe extracted tickets are saved to a \u003ccode\u003e.kirbi\u003c/code\u003e file on the filesystem. This file is often created in a temporary or easily accessible location.\u003c/li\u003e\n\u003cli\u003eThe attacker may rename or move the \u003ccode\u003e.kirbi\u003c/code\u003e file to evade detection or prepare it for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen Kerberos ticket to authenticate to other systems on the network (Pass-The-Ticket).\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive resources or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberos ticket theft can lead to significant damage, including unauthorized access to sensitive data, lateral movement across the network, and privilege escalation. Depending on the compromised account, an attacker can potentially gain control of critical systems and data. If a domain administrator account is compromised, the entire domain could be at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKirbi File Creation\u003c/code\u003e to your SIEM to detect the creation of \u003ccode\u003e.kirbi\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon FileCreate events (Event ID 11) to provide the necessary data for the \u003ccode\u003eKirbi File Creation\u003c/code\u003e rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eKirbi File Creation\u003c/code\u003e rule, focusing on the process that created the file, the location of the file, and any follow-on activity.\u003c/li\u003e\n\u003cli\u003eConsider blocking the execution of known Kerberos ticket dumping tools, such as Mimikatz and Rubeus.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-kirbi-file-creation/","summary":"Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.","title":"Detects Kirbi File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-kirbi-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Sysmon","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","persistence","windows","attrib.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can add the \u0026lsquo;hidden\u0026rsquo; attribute to files to hide them from the user in an attempt to evade detection. This technique involves using the \u003ccode\u003eattrib.exe\u003c/code\u003e utility to modify file attributes. By setting the hidden attribute, adversaries can conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it. This tactic is often employed post-compromise to maintain a stealthy presence within the target environment. Detection focuses on monitoring process executions that involve \u003ccode\u003eattrib.exe\u003c/code\u003e with command-line arguments indicating the modification of the hidden attribute. The rule is designed for data generated by Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system through various means such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain the necessary permissions to execute system utilities.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003eattrib.exe\u003c/code\u003e to modify the hidden attribute of a malicious file or directory. For example, \u003ccode\u003eattrib.exe +h C:\\path\\to\\malicious\\file.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConcealment: The malicious file or directory is now hidden from normal directory listings, making it harder for users and administrators to detect.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by hiding malicious scripts or executables in startup directories or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the hidden files to move laterally within the network, potentially using them as part of a larger attack campaign.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this attack includes prolonged attacker presence, increased difficulty in detecting malicious activity, and potential data exfiltration or system compromise. While the risk score is relatively low, the technique contributes to a broader attack chain and can significantly hinder incident response efforts. A successful hiding of artifacts might lead to further compromise, data breaches, or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Adding Hidden File Attribute via Attrib\u0026rdquo; to your SIEM to detect suspicious usage of \u003ccode\u003eattrib.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line monitoring in Windows environments to ensure the Sigma rule can capture relevant events.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and target files to determine if the activity is legitimate.\u003c/li\u003e\n\u003cli\u003eCorrelate detections of \u003ccode\u003eattrib.exe\u003c/code\u003e with other suspicious activities or alerts on the same host.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden attribute.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-attrib-hidden-file/","summary":"Adversaries can use attrib.exe to add the 'hidden' attribute to files to hide them from users and evade detection, which can be detected by monitoring process executions related to attrib.exe.","title":"Adding Hidden File Attribute via Attrib.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-03-attrib-hidden-file/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003ePowerShell profiles are scripts that run when PowerShell starts, customizing the user\u0026rsquo;s environment. Attackers can abuse this feature to gain persistence by modifying these profiles to execute malicious code each time a user launches PowerShell. The modification of PowerShell profiles allows the attacker to run arbitrary commands without requiring user interaction or explicit execution of malicious scripts. The targeted profile file names include \u003ccode\u003eprofile.ps1\u003c/code\u003e and \u003ccode\u003eMicrosoft.Powershell_profile.ps1\u003c/code\u003e, and the attack affects Windows systems where PowerShell is commonly used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of PowerShell profile scripts, typically found in \u003ccode\u003eC:\\Users\\\u0026lt;Username\u0026gt;\\Documents\\WindowsPowerShell\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing PowerShell profile (e.g., \u003ccode\u003eprofile.ps1\u003c/code\u003e) or creates a new one if it doesn\u0026rsquo;t exist.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the PowerShell profile. This code could download and execute additional payloads, establish a reverse shell, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious code runs when PowerShell is launched by modifying the profile content.\u003c/li\u003e\n\u003cli\u003eWhen a user opens PowerShell, the profile script executes automatically, running the injected malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as establishing persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems. This persistence can be used to perform various malicious activities, including data theft, lateral movement, and deployment of ransomware. The severity is medium as it requires local access or prior compromise, but can lead to significant impact if successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Profile Modification\u0026rdquo; to detect unauthorized changes to PowerShell profile scripts.\u003c/li\u003e\n\u003cli\u003eMonitor file creation and modification events in the \u003ccode\u003eC:\\Users\\*\\Documents\\WindowsPowerShell\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\WindowsPowerShell\\\u003c/code\u003e directories for suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell script block logging and transcription to gain visibility into the contents of PowerShell scripts being executed.\u003c/li\u003e\n\u003cli\u003eRestrict PowerShell usage to authorized personnel via Group Policy or other application control mechanisms.\u003c/li\u003e\n\u003cli\u003eRegularly audit PowerShell profiles for suspicious or unexpected code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:17:05Z","date_published":"2024-01-02T18:17:05Z","id":"/briefs/2024-01-powershell-profile-persistence/","summary":"Attackers can modify PowerShell profiles to inject malicious code that executes each time PowerShell starts, establishing persistence on a Windows system.","title":"Persistence via PowerShell Profile Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-profile-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies unusual instances of Control Panel being executed with suspicious keywords or paths in the process command line. Control Panel (control.exe) is a legitimate Windows utility, but adversaries may abuse it to proxy execution of malicious code, effectively bypassing defense mechanisms. This technique involves launching control.exe with command-line arguments that point to malicious payloads or unusual file types, such as image files or INF files, or paths containing traversal sequences. The rule is designed to trigger when control.exe is launched with suspicious arguments like image files, INF files, paths containing traversal sequences, or paths in user-writable locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe adversary stages a malicious payload on the system in a location such as \u003ccode\u003eAppData\\Local\u003c/code\u003e or \u003ccode\u003eUsers\\Public\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe adversary crafts a command line that uses \u003ccode\u003econtrol.exe\u003c/code\u003e to execute the malicious payload. The command line includes a suspicious path, such as \u003ccode\u003econtrol.exe evil.jpg\u003c/code\u003e or \u003ccode\u003econtrol.exe ..\\..\\..\\evil.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econtrol.exe\u003c/code\u003e process is executed with the malicious command line.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eControl.exe\u003c/code\u003e attempts to load the specified file.\u003c/li\u003e\n\u003cli\u003eIf the file is an executable or script, it is executed within the context of the \u003ccode\u003econtrol.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions (e.g., downloading additional payloads, establishing persistence, or exfiltrating data).\u003c/li\u003e\n\u003cli\u003eThe adversary achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing adversaries to install malware, steal sensitive data, or compromise the entire system. This can result in significant financial loss, reputational damage, and disruption of business operations. Because Control Panel is a signed Microsoft binary, abusing it can bypass application control policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Control Panel Process with Unusual Arguments\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003econtrol.exe\u003c/code\u003e command lines (rule).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments of \u003ccode\u003econtrol.exe\u003c/code\u003e (logsource).\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003econtrol.exe\u003c/code\u003e launching child processes (rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process, command-line arguments, and any subsequent network connections (rule).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003econtrol.exe\u003c/code\u003e from unusual locations (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-control-panel-abuse/","summary":"Adversaries may abuse control.exe to proxy execution of malicious code by using the Control Panel process to execute payloads from unusual locations, detected by identifying suspicious keywords or paths in the process command line.","title":"Control Panel Process with Unusual Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-control-panel-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","fsutil"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may leverage native operating system tools like \u003ccode\u003efsutil.exe\u003c/code\u003e to perform reconnaissance activities within a compromised environment. The \u003ccode\u003efsutil fsinfo drives\u003c/code\u003e command provides information about connected drives, including removable media, mapped network drives, and backup locations. Discovery of these devices can help adversaries identify valuable data stores for exfiltration or encryption as part of a broader attack campaign. This command can be run interactively or via automated scripts, making it a versatile tool for post-exploitation activities. Defenders should monitor for unusual execution of \u003ccode\u003efsutil\u003c/code\u003e with the \u003ccode\u003efsinfo drives\u003c/code\u003e arguments, particularly when executed by non-administrative users or from unusual locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003efsutil.exe\u003c/code\u003e via command line or script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efsutil\u003c/code\u003e command uses the \u003ccode\u003efsinfo\u003c/code\u003e subcommand.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efsinfo\u003c/code\u003e subcommand uses the \u003ccode\u003edrives\u003c/code\u003e argument to list connected drives.\u003c/li\u003e\n\u003cli\u003eThe system returns a list of attached drives and their types (e.g., local, network, removable).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the output to identify potentially valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to access identified drives.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware on the identified drives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful discovery of peripheral devices can lead to the identification of backup locations, mapped network drives, and removable media containing sensitive information. This information enables attackers to expand their reach within the compromised environment and increase the potential for data theft, encryption, or destruction. The low severity reflects the fact that this activity on its own is simply reconnaissance; the actual damage comes from subsequent actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious execution of \u003ccode\u003efsutil.exe\u003c/code\u003e (see below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture \u003ccode\u003efsutil\u003c/code\u003e executions (see setup instructions in the Overview).\u003c/li\u003e\n\u003cli\u003eInvestigate any process executions of \u003ccode\u003efsutil.exe\u003c/code\u003e where the parent process is unexpected or the user context is unusual (see Triage and Analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-peripheral-device-discovery/","summary":"Adversaries may use the Windows file system utility, fsutil.exe, with the fsinfo drives command to enumerate attached peripheral devices and gain information about a compromised system.","title":"Windows Peripheral Device Discovery via fsutil","url":"https://feed.craftedsignal.io/briefs/2024-01-02-peripheral-device-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","mshta","windows","process-creation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","HP","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eMshta.exe (Microsoft HTML Application Host) is a Windows utility used to execute HTML Applications (.hta files). Adversaries often abuse Mshta to execute malicious scripts and evade detection, as it is a signed Microsoft binary and can bypass application whitelisting. This activity typically involves Mshta spawning other processes like cmd.exe or powershell.exe to perform malicious actions. This behavior has been observed across various attack campaigns and is a common tactic used to deliver payloads, establish persistence, or perform lateral movement within a network. Defenders need to monitor Mshta.exe process creations and child processes to detect and prevent potential threats. The detection logic focuses on identifying specific child processes commonly associated with malicious activities, while excluding legitimate uses of Mshta, such as those related to HP printer software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method (e.g., phishing, drive-by download) that delivers a malicious HTA file.\u003c/li\u003e\n\u003cli\u003eThe user executes the HTA file, which launches Mshta.exe to interpret and execute the embedded script.\u003c/li\u003e\n\u003cli\u003eThe script within the HTA file spawns a suspicious child process, such as cmd.exe or powershell.exe, using \u003ccode\u003eCreateProcess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious commands or scripts to download additional payloads or perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eCertutil.exe may be used to decode encoded payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may use bitsadmin.exe to download files from remote servers.\u003c/li\u003e\n\u003cli\u003ePowerShell is used to execute malicious code directly in memory, bypassing file-based detections.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as establishing persistence, stealing credentials, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of consequences, including malware infection, data theft, and system compromise. The impact can vary depending on the attacker\u0026rsquo;s objectives, but it can result in significant financial losses, reputational damage, and disruption of business operations. While specific numbers of victims are not listed, this technique is widely used and can affect any organization that does not adequately monitor and restrict the use of Mshta.exe. The sectors targeted are broad, as this is a general-purpose technique applicable to various environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and monitor for Mshta.exe spawning suspicious child processes to enable the \u0026ldquo;Suspicious Microsoft HTML Application Child Process\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect Mshta.exe spawning cmd.exe, powershell.exe, certutil.exe, bitsadmin.exe, curl.exe, msiexec.exe, schtasks.exe, reg.exe, wscript.exe, or rundll32.exe to detect potential defense evasion.\u003c/li\u003e\n\u003cli\u003eExamine \u003ccode\u003eprocess.command_line\u003c/code\u003e and \u003ccode\u003eprocess.parent.command_line\u003c/code\u003e for suspicious arguments and file paths to further investigate potential malicious use of Mshta.\u003c/li\u003e\n\u003cli\u003eMonitor for executables running from user directories using the Sigma rule provided to identify potentially malicious processes spawned by Mshta.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate the parent process of Mshta.exe to determine the initial source of the HTA execution, focusing on browsers, email clients, and other potential delivery mechanisms.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules for your environment to reduce false positives and ensure accurate detection of malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-mshta-suspicious-child/","summary":"Mshta.exe spawning a suspicious child process, such as cmd.exe or powershell.exe, indicates potential adversarial activity leveraging Mshta to execute malicious scripts and evade detection on Windows systems.","title":"Suspicious Microsoft HTML Application Child Process","url":"https://feed.craftedsignal.io/briefs/2024-01-mshta-suspicious-child/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","compile-after-delivery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers sometimes deliver malicious code in a non-executable format to bypass initial security checks. They then use legitimate .NET compilers like \u003ccode\u003ecsc.exe\u003c/code\u003e (C#) and \u003ccode\u003evbc.exe\u003c/code\u003e (VB.NET) to compile the code into an executable on the victim machine. This technique, known as \u0026ldquo;Compile After Delivery\u0026rdquo;, helps them evade traditional signature-based detections. This activity is often launched from scripting engines or system utilities, such as \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e and others. The rule detects these unusual parent-child process relationships, providing an alert for potential post-delivery code compilation activity, and applies to Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers obfuscated or encoded .NET source code to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a scripting engine (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e) or system utility (e.g., \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e) to execute a .NET compiler (\u003ccode\u003ecsc.exe\u003c/code\u003e or \u003ccode\u003evbc.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe scripting engine or system utility passes the delivered .NET source code as an argument to the compiler.\u003c/li\u003e\n\u003cli\u003eThe .NET compiler compiles the source code into a binary executable.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the compiled binary.\u003c/li\u003e\n\u003cli\u003eThe compiled binary performs malicious actions, such as establishing persistence, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the target system, bypassing security measures that rely on pre-execution scanning. This can lead to a range of malicious activities, including data theft, system compromise, and deployment of ransomware. Detecting and preventing this technique is crucial for maintaining the integrity and confidentiality of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Windows Security Event Logs or Sysmon (Event ID 1) to capture process execution data needed for the detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious .NET Code Compilation\u0026rdquo; to your SIEM to detect instances of .NET compilers being executed by unusual parent processes.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes, as described in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the parent processes listed in the Sigma rule\u0026rsquo;s detection criteria (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e) for unusual command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-suspicious-dotnet-compilation/","summary":"Adversaries may use unusual parent processes to execute .NET compilers for compiling malicious code after delivery, evading security mechanisms, and this activity is detected by monitoring compiler executions initiated by scripting engines or system utilities.","title":"Suspicious .NET Code Compilation via Unusual Parent Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-02-suspicious-dotnet-compilation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","tunneling","yuze","proxy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects the execution of Yuze, an open-source tunneling tool written in C, which is commonly used for intranet penetration. Yuze supports both forward and reverse SOCKS5 proxy tunneling and is often executed using \u003ccode\u003erundll32\u003c/code\u003e to load \u003ccode\u003eyuze.dll\u003c/code\u003e with the \u003ccode\u003eRunYuze\u003c/code\u003e export. Threat actors can leverage Yuze to proxy command and control (C2) communications or to pivot within a network. The detection focuses on identifying processes with command-line arguments indicative of Yuze execution, specifically those involving \u0026ldquo;reverse,\u0026rdquo; \u0026ldquo;-c,\u0026rdquo; \u0026ldquo;proxy,\u0026rdquo; \u0026ldquo;fwd,\u0026rdquo; and \u0026ldquo;-l\u0026rdquo; parameters. This activity has been observed in real-world campaigns, increasing the importance of timely detection and response.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops the \u003ccode\u003eyuze.dll\u003c/code\u003e file onto the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute \u003ccode\u003eyuze.dll\u003c/code\u003e, calling the \u003ccode\u003eRunYuze\u003c/code\u003e export.\u003c/li\u003e\n\u003cli\u003eThe command line includes parameters to establish a reverse or forward SOCKS5 proxy tunnel (e.g., \u003ccode\u003erundll32 yuze.dll,RunYuze reverse -c \u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eYuze establishes a tunnel to a remote server, allowing the attacker to proxy network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to pivot within the network and access internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may proxy C2 traffic through the tunnel, masking the true origin of the commands.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the internal network, such as data exfiltration or lateral movement, using the tunnel as a covert channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish covert communication channels, bypass network security controls, and proxy malicious traffic, potentially leading to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. The use of Yuze can obscure the origin of attacks, making attribution more difficult and hindering incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Yuze Tunneling via Rundll32\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003eyuze.dll\u003c/code\u003e via \u003ccode\u003erundll32.exe\u003c/code\u003e with specific command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging (Sysmon Event ID 1 or Windows Security Auditing) to capture the necessary command-line information for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003erundll32.exe\u003c/code\u003e executing \u003ccode\u003eyuze.dll\u003c/code\u003e, focusing on the parent processes and network connections.\u003c/li\u003e\n\u003cli\u003eBlock the C2/relay IP or domain found in the \u003ccode\u003e-c\u003c/code\u003e argument at DNS/firewall, as described in the Triage and Analysis section of the rule\u0026rsquo;s note.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-yuze-tunneling/","summary":"This alert detects potential protocol tunneling activity via the execution of Yuze, a lightweight open-source tunneling tool often used by threat actors for intranet penetration via forward and reverse SOCKS5 proxy tunneling.","title":"Potential Protocol Tunneling via Yuze","url":"https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Firewall","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","windows","netsh","rdp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can leverage the native Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to modify Windows Firewall rules and enable inbound Remote Desktop Protocol (RDP) connections. This can be used as a defense evasion technique to bypass existing firewall restrictions, allowing them to establish remote access to a compromised host. Ransomware operators and other malicious actors frequently utilize RDP to access victim servers, often using privileged accounts, to further their objectives. This activity can be conducted post-compromise to facilitate lateral movement and the deployment of malicious payloads. The behavior was observed being detected by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host through initial access methods (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh\u003c/code\u003e command creates or modifies an inbound rule to allow RDP traffic (TCP port 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RDP connection to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RDP session to perform reconnaissance, move laterally, or deploy malware.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to disable or modify security tools to further evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to unauthorized remote access to systems, enabling lateral movement, data theft, and ransomware deployment. If RDP is enabled on a large number of systems, the attacker can move laterally through the environment. The impact can range from data breaches to complete operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enetsh.exe\u003c/code\u003e executing with arguments related to enabling inbound RDP traffic using the \u0026ldquo;Remote Desktop Enabled in Windows Firewall by Netsh\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to modify firewall rules related to RDP.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview existing firewall rules and remove any unnecessary or overly permissive rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging for enhanced visibility into process execution events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-netsh-rdp-enable/","summary":"Adversaries may use the `netsh.exe` utility to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall, potentially allowing unauthorized remote access to compromised systems.","title":"Netsh Used to Enable Remote Desktop Protocol (RDP) in Windows Firewall","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","data-exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Crowdstrike","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThe threat involves the abuse of the legitimate Windows \u003ccode\u003enet.exe\u003c/code\u003e utility to mount remote shares, including hidden (e.g., administrative shares) and WebDav shares. This activity may signal lateral movement within a network, preparation for data exfiltration, or initial access through reconnaissance of available network resources. The detection focuses on identifying specific command-line patterns used with \u003ccode\u003enet.exe\u003c/code\u003e to mount these shares. While the primary data source for the detection rule is Elastic Defend, it also supports data from CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs. This activity can be masked within normal administrative functions, so tuning and baselining are important.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e to discover available network shares, identifying potential targets for lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003enet.exe\u003c/code\u003e to attempt to mount a hidden or WebDav share, often using stolen credentials or exploiting existing permissions. The command includes \u003ccode\u003euse\u003c/code\u003e and specifies a share path like \u003ccode\u003e\\\\\\\\\u0026lt;server\u0026gt;\\\u0026lt;share\u0026gt;\u003c/code\u003e or \u003ccode\u003ehttp(s)://\u0026lt;server\u0026gt;/\u0026lt;share\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to the remote share, potentially browsing its contents to identify valuable data or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker copies sensitive data from the remote share to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker stages the exfiltrated data on the compromised system, preparing it for transfer to an external location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses another tool or protocol (e.g., FTP, SCP, web upload) to exfiltrate the data to a destination controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker cleans up any traces of their activity on the compromised system and the remote share, attempting to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive data, lateral movement to other systems, and ultimately, data exfiltration. The mounting of hidden shares gives the attacker the ability to move laterally and escalate their privileges. Depending on the data stored on the shares, data breaches and financial losses are possible. Targeted sectors are broad, as \u003ccode\u003enet.exe\u003c/code\u003e is a standard Windows utility.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Mounting Hidden or WebDav Remote Shares\u0026rdquo; rule to your SIEM, tuning it for your environment to minimize false positives and detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, including \u003ccode\u003enet.exe\u003c/code\u003e and its command-line arguments as outlined in the rule description.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any alerts generated by the \u0026ldquo;Mounting Hidden or WebDav Remote Shares\u0026rdquo; rule, focusing on the process details, arguments, and associated user accounts, as suggested in the rule\u0026rsquo;s triage and analysis section.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement possibilities, mitigating the potential impact of successful share mounting as mentioned in the response and remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-mount-remote-shares/","summary":"Adversaries may leverage the `net.exe` utility to mount WebDav or hidden remote shares, potentially indicating lateral movement, data exfiltration preparation, or initial access via discovery of accessible shares.","title":"Mounting of Hidden or WebDav Remote Shares via Net Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-02-mount-remote-shares/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eUser Account Control (UAC) is a security feature in Windows that helps mitigate the impact of malware by requiring administrative privileges for certain actions. Attackers may attempt to disable or bypass UAC to execute code with elevated privileges without user consent. This is often achieved by modifying specific registry values related to UAC settings. The registry values include \u003ccode\u003eEnableLUA\u003c/code\u003e, \u003ccode\u003eConsentPromptBehaviorAdmin\u003c/code\u003e, and \u003ccode\u003ePromptOnSecureDesktop\u003c/code\u003e. Successful modification of these values to \u003ccode\u003e0\u003c/code\u003e or \u003ccode\u003e0x00000000\u003c/code\u003e effectively disables UAC, allowing attackers to perform privileged actions without triggering UAC prompts. This technique has been observed in conjunction with malware such as the Remcos RAT.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges to perform actions requiring administrative rights.\u003c/li\u003e\n\u003cli\u003eRegistry Modification: The attacker modifies the registry values \u003ccode\u003eEnableLUA\u003c/code\u003e, \u003ccode\u003eConsentPromptBehaviorAdmin\u003c/code\u003e, and/or \u003ccode\u003ePromptOnSecureDesktop\u003c/code\u003e located under \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDisable UAC: By setting these registry values to \u003ccode\u003e0\u003c/code\u003e or \u003ccode\u003e0x00000000\u003c/code\u003e, the attacker disables UAC.\u003c/li\u003e\n\u003cli\u003eCode Execution: The attacker executes malicious code, leveraging the now-disabled UAC to bypass security restrictions.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence, ensuring continued access to the compromised system.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker moves laterally to other systems within the network, leveraging the compromised system as a launchpad.\u003c/li\u003e\n\u003cli\u003eObjective Completion: The attacker achieves their final objective, such as data exfiltration, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling UAC allows attackers to execute code with elevated privileges, bypassing security restrictions. This can lead to a complete compromise of the affected system, allowing attackers to install malware, modify system settings, steal sensitive data, and potentially move laterally to other systems within the network. The rule has a risk score of 47.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications for changes to \u003ccode\u003eEnableLUA\u003c/code\u003e, \u003ccode\u003eConsentPromptBehaviorAdmin\u003c/code\u003e, and \u003ccode\u003ePromptOnSecureDesktop\u003c/code\u003e with the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-disable-uac-registry/","summary":"Attackers may disable User Account Control (UAC) by modifying specific registry values, allowing them to execute code with elevated privileges, bypass security restrictions, and potentially escalate privileges on Windows systems.","title":"Disabling User Account Control via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-uac-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Subsystem for Linux","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endpoint Security"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","wsl","kalilinux"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies attempts to install or utilize Kali Linux through the Windows Subsystem for Linux (WSL). Attackers may leverage WSL to deploy Kali Linux as a means of circumventing traditional security measures and carrying out malicious operations within a Windows operating system. This behavior enables them to potentially blend their activities with legitimate WSL usage, making detection more challenging. The detection focuses on identifying specific processes and command-line arguments associated with Kali Linux installations and executions within the WSL environment, aiming to expose malicious actors utilizing this technique for nefarious purposes. This activity started being tracked in early 2023. Defenders should be aware of this technique, as it can be used to bypass security controls and perform malicious activities discreetly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods outside the scope of this specific detection (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker enables WSL on the target Windows system using PowerShell or command-line tools.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the Kali Linux distribution for WSL from the Microsoft Store or another source.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewsl.exe\u003c/code\u003e with arguments like \u003ccode\u003e-d\u003c/code\u003e, \u003ccode\u003e--distribution\u003c/code\u003e, \u003ccode\u003e-i\u003c/code\u003e, or \u003ccode\u003e--install\u003c/code\u003e along with \u0026ldquo;kali*\u0026rdquo; to install the Kali Linux distribution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker directly executes the \u003ccode\u003ekali.exe\u003c/code\u003e binary located within the Kali Linux package path (e.g., \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOnce Kali Linux is installed, the attacker uses it to perform various malicious activities, such as penetration testing, vulnerability scanning, or exploiting other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage tools and utilities within Kali Linux to escalate privileges, move laterally, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to compromise the target system or network, steal valuable information, or disrupt operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using Kali Linux within WSL can lead to significant damage, including data breaches, system compromise, and disruption of services. The use of Kali Linux provides attackers with a wide range of tools and capabilities for reconnaissance, exploitation, and post-exploitation activities. Depending on the attacker\u0026rsquo;s objectives, this can result in financial losses, reputational damage, and legal liabilities. Organizations across various sectors are vulnerable, as this technique can be used against any Windows system with WSL enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Kali Linux Installation via WSL\u0026rdquo; to your SIEM to detect the use of \u003ccode\u003ewsl.exe\u003c/code\u003e with specific Kali Linux installation arguments (rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Kali Linux Executable via WSL\u0026rdquo; to your SIEM to detect the direct execution of \u003ccode\u003ekali.exe\u003c/code\u003e from the common install directories (rule).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003ewsl.exe\u003c/code\u003e and \u003ccode\u003ekali.exe\u003c/code\u003e within the Windows environment (logsource).\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of WSL within the organization to only authorized users and systems (overview).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unauthorized binaries, including \u003ccode\u003ekali.exe\u003c/code\u003e (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kali-wsl-install/","summary":"Adversaries may attempt to install or use Kali Linux via Windows Subsystem for Linux (WSL) to avoid detection, potentially enabling them to perform malicious activities within a Windows environment while blending in with legitimate WSL usage.","title":"Detection of Kali Linux Installation or Usage via Windows Subsystem for Linux (WSL)","url":"https://feed.craftedsignal.io/briefs/2024-01-kali-wsl-install/"}],"language":"en","next_url":"/vendors/crowdstrike/page/2/feed.json","title":"CraftedSignal Threat Feed — Crowdstrike","version":"https://jsonfeed.org/version/1.1"}