{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/dell/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows Defender Advanced Threat Protection","SupportAssistAgent","Obkio Agent","SolarWinds Agent","SecuraAgent"],"_cs_severities":["low"],"_cs_tags":["discovery","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Dell","Obkio","SolarWinds","Infraon Corp"],"content_html":"\u003cp\u003eThis detection rule identifies instances where the SYSTEM account is used to execute account discovery utilities, such as \u003ccode\u003ewhoami.exe\u003c/code\u003e and \u003ccode\u003enet1.exe\u003c/code\u003e. This behavior is commonly observed after an attacker has successfully achieved privilege escalation within a Windows environment, or after exploiting a web application. The rule is designed to detect post-exploitation discovery activity where an adversary attempts to gain situational awareness by enumerating accounts and system information using the elevated SYSTEM context. The rule leverages data from Elastic Defend and Sysmon Event ID 1 to identify these behaviors, helping defenders spot potential privilege escalation and lateral movement attempts. The original rule was created 2020/03/18 and updated 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through exploiting a vulnerability in a web application or through phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to the SYSTEM account, possibly by exploiting a local privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e via the SYSTEM account to enumerate user accounts and gather system information.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e process is spawned by a parent process such as a web server process (e.g., w3wp.exe) or a service process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered account information to plan further actions, such as lateral movement or credential theft.\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003enet1.exe\u003c/code\u003e to query domain information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained information to identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is often data exfiltration, deployment of ransomware, or further compromise of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Although this rule has low severity, the execution of discovery commands by the SYSTEM account can be a critical indicator of compromise. Early detection of such activity can prevent more severe damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect account discovery commands executed via the SYSTEM account and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the necessary data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process execution chain to identify the source of the SYSTEM account usage.\u003c/li\u003e\n\u003cli\u003eIf the process tree includes a web-application server process, investigate suspicious file creation or modification to assess for webshell backdoors.\u003c/li\u003e\n\u003cli\u003eReview and harden web application security to prevent initial access and privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-09-system-account-discovery/","summary":"The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.","title":"Account Discovery Command via SYSTEM Account","url":"https://feed.craftedsignal.io/briefs/2024-01-09-system-account-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","ICA Client","SARemediation","Endpoint Connect"],"_cs_severities":["medium"],"_cs_tags":["credential-access","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix","Dell","CheckPoint"],"content_html":"\u003cp\u003eAttackers may modify the network logon provider registry to gain persistence or access credentials. This involves registering a rogue network logon provider module that intercepts authentication credentials in clear text during user logon. The modification of the ProviderPath key under the NetworkProvider service registry path can be indicative of this malicious activity. The registry modification is often performed by non-system accounts and the adversary will attempt to hide the malicious DLL by placing it in common directories. This technique allows adversaries to steal user credentials or maintain persistent access to the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to obtain the necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the registry key related to network logon providers: \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider\\ProviderPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eProviderPath\u003c/code\u003e registry value to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe system loads the malicious DLL during the logon process.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts user credentials in clear text.\u003c/li\u003e\n\u003cli\u003eThe attacker harvests the intercepted credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the harvested credentials for lateral movement or further exploitation of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of user credentials, allowing attackers to gain unauthorized access to sensitive systems and data. Modification of the network logon provider registry enables attackers to maintain persistent access to the compromised system, even after a reboot. This can result in data breaches, financial losses, and reputational damage. The severity depends on the level of access granted to the compromised accounts and the sensitivity of the data they can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications to the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider\\ProviderPath\u003c/code\u003e key, using the provided Sigma rule to detect suspicious changes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications.\u003c/li\u003e\n\u003cli\u003eRegularly audit network logon providers and verify the integrity and authenticity of the registered DLLs.\u003c/li\u003e\n\u003cli\u003eInvestigate processes modifying the registry and their associated file creation events for unknown or suspicious processes.\u003c/li\u003e\n\u003cli\u003eBlock execution of unsigned or untrusted DLLs in the network logon provider path.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Network Logon Provider Registry Modification\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-network-logon-provider-modification/","summary":"Adversaries may modify the network logon provider registry to register a rogue network logon provider module for persistence and credential access by intercepting authentication credentials in clear text during user logon.","title":"Network Logon Provider Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-network-logon-provider-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","dll-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","McAfee","SecMaker AB","HID Global","Apple","Citrix Systems","Dell","Hewlett-Packard Company","Symantec Corporation","National Instruments Corporation","DigitalPersona","Novell","Gemalto","EasyAntiCheat Oy","Entrust Datacard Corporation","AuriStor","LogMeIn","VMware","Nubeva Technologies Ltd","Micro Focus","Yubico AB","Secure Endpoints","Sophos","Morphisec Information Security","Entrust","F5 Networks","Bit4id","Thales DIS CPL USA","Micro Focus International plc","HYPR Corp","Intel","PGP Corporation","Parallels International GmbH","FrontRange Solutions Deutschland GmbH","SecureLink","Tidexa OU","Amazon Web Services","SentryBay Limited","Audinate Pty Ltd","CyberArk Software","NVIDIA","Trend Micro","Fortinet","Carbon Black"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain sufficient access to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL onto the system, often disguised as a legitimate file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.\u003c/li\u003e\n\u003cli\u003eLSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eLSASS Loading Untrusted DLL\u003c/code\u003e Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and review the loaded DLL\u0026rsquo;s code signature and hash.\u003c/li\u003e\n\u003cli\u003eBlock the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict which DLLs can be loaded into LSASS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and image load logging to provide the necessary data for detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-lsass-suspicious-dll/","summary":"Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.","title":"LSASS Loading Suspicious DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-suspicious-dll/"}],"language":"en","title":"CraftedSignal Threat Feed — Dell","version":"https://jsonfeed.org/version/1.1"}