{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/elastic/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["kubernetes","credential-access","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies Kubernetes pod exec sessions accessing sensitive files or credential paths. The goal is to detect attackers attempting to steal credentials or configuration information from within Kubernetes pods. This often occurs after initial access and may precede lateral movement, privilege escalation, or data exfiltration. The detection focuses on command lines that reference paths related to service account tokens, kubelet configuration, host identity stores, common private keys, keystore extensions, process environment dumps, and configuration files with embedded secrets. The rule is designed to catch both interactive and scripted access, and includes exclusions for benign reads of resolv.conf.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Kubernetes cluster, potentially through a compromised application or misconfigured service.\u003c/li\u003e\n\u003cli\u003eAttacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e or similar tools to execute commands within a pod.\u003c/li\u003e\n\u003cli\u003eThe executed command attempts to read sensitive files or directories within the pod\u0026rsquo;s filesystem, such as \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e to obtain the pod\u0026rsquo;s service account token.\u003c/li\u003e\n\u003cli\u003eThe command may also target host-level files if the pod has hostPath mounts or runs in a privileged context, like \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e for credential access.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to dump process environments via \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/environ\u003c/code\u003e to extract sensitive information stored as environment variables.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages obtained credentials or configuration to move laterally to other pods or nodes within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the cluster by abusing stolen service account tokens or node credentials.\u003c/li\u003e\n\u003cli\u003eThe final objective is to exfiltrate sensitive data, deploy malicious workloads, or disrupt services within the Kubernetes environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, including credentials, configuration files, and application secrets. This can enable attackers to move laterally within the Kubernetes cluster, escalate privileges, and potentially gain control over the entire environment. The severity of the impact depends on the sensitivity of the data exposed and the level of access achieved by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect sensitive file access within Kubernetes pod exec sessions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the \u003ccode\u003eEsql.access_type\u003c/code\u003e field to prioritize incidents.\u003c/li\u003e\n\u003cli\u003eReview and tighten RBAC permissions for pod exec to limit access to authorized users and service accounts.\u003c/li\u003e\n\u003cli\u003eImplement admission controls to prevent pods from running in privileged mode or using hostPath mounts unless absolutely necessary.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for suspicious \u003ccode\u003ekubectl exec\u003c/code\u003e activity, including unusual command lines or access patterns.\u003c/li\u003e\n\u003cli\u003eRegularly rotate Kubernetes service account tokens and other sensitive credentials to minimize the impact of potential breaches.\u003c/li\u003e\n\u003cli\u003eUse the provided Kubernetes audit log query to proactively search for historical instances of sensitive file access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:42:34Z","date_published":"2026-05-04T21:42:34Z","id":"/briefs/2024-01-kubernetes-pod-exec-sensitive-file-access/","summary":"This rule detects Kubernetes pod exec sessions where the decoded command line references sensitive files or paths such as mounted service account tokens, kubelet and control-plane configuration, host identity stores, private keys, and process environment dumps, aiming to identify potential lateral movement, privilege escalation, or credential theft.","title":"Kubernetes Pod Exec Sensitive File or Credential Path Access","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-pod-exec-sensitive-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon Registry Events","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["port-forwarding","registry-modification","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may configure port forwarding rules to bypass network segmentation restrictions, effectively using the compromised host as a jump box to access previously unreachable systems. This involves modifying the registry to redirect incoming TCP connections from a local port to another port or a remote computer. The technique is typically employed post-compromise to facilitate lateral movement and maintain unauthorized access within the network. This activity is detected by monitoring changes to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command-line interface (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e) with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e cmdlet to modify the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a new port forwarding rule by creating a new subkey under \u003ccode\u003ev4tov4\\\u003c/code\u003e with specific settings for the local port, remote address, and remote port.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eListenAddress\u003c/code\u003e, \u003ccode\u003eListenPort\u003c/code\u003e, \u003ccode\u003eConnectAddress\u003c/code\u003e, and \u003ccode\u003eConnectPort\u003c/code\u003e values within the new subkey.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful creation and activation of the port forwarding rule using \u003ccode\u003enetsh interface portproxy show v4tov4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created port forwarding rule to tunnel traffic through the compromised host, bypassing network segmentation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the proxied connection to access internal resources and conduct further attacks, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass network segmentation restrictions, leading to unauthorized access to internal systems and data. This can facilitate lateral movement, data exfiltration, and further compromise of the network. The severity of the impact depends on the sensitivity of the accessible resources and the extent of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys, enabling detection of malicious port forwarding rule additions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Port Forwarding Rule Addition via Registry Modification\u0026rdquo; to your SIEM to detect suspicious registry modifications related to port forwarding.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process execution chain and the user account that performed the action.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing port forwarding rules to identify and remove any unauthorized or suspicious configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-port-forwarding-registry/","summary":"An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.","title":"Windows Port Forwarding Rule Addition via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-port-forwarding-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Zoom.exe, potentially indicating an attempt to evade detection or exploit vulnerabilities within the Zoom application. The rule focuses on detecting instances where command interpreters like cmd.exe, PowerShell, or PowerShell ISE are launched as child processes of Zoom. This behavior can be indicative of an attacker attempting to execute malicious commands or scripts within the context of the Zoom application, potentially escalating privileges or gaining unauthorized access to system resources. It\u0026rsquo;s crucial for defenders to investigate such occurrences, as they may signify ongoing exploitation or malicious activity leveraging Zoom as an initial access vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches the Zoom application (Zoom.exe).\u003c/li\u003e\n\u003cli\u003eA vulnerability in Zoom is exploited, or the user is socially engineered into running a malicious command.\u003c/li\u003e\n\u003cli\u003eZoom.exe spawns a child process, such as cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands or scripts, potentially downloading or executing malware.\u003c/li\u003e\n\u003cli\u003eThe malicious script or command performs reconnaissance activities on the system.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to execute arbitrary commands, escalate privileges, and compromise the affected system. Depending on the user\u0026rsquo;s privileges, attackers could gain access to sensitive data, install malware, or pivot to other systems on the network. The impact ranges from data breaches to complete system compromise, potentially affecting all users within the organization who utilize the Zoom application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Zoom Child Process\u0026rdquo; to your SIEM to detect command interpreters spawned by Zoom.exe. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, which is essential for the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments and network connections of the spawned processes.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for process creation events related to Zoom.exe and its child processes to identify suspicious behavior.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of unauthorized processes within the Zoom application context.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-suspicious-zoom-child-process/","summary":"A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.","title":"Suspicious Zoom Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-11-suspicious-zoom-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon","Crowdstrike","SentinelOne Cloud Funnel","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["powershell","malware","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to download a malicious payload from a remote server using commands like \u003ccode\u003eDownloadFile\u003c/code\u003e or \u003ccode\u003eDownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.\u003c/li\u003e\n\u003cli\u003ePowerShell is then used to decode or deobfuscate the payload using methods like \u003ccode\u003e[Convert]::FromBase64String\u003c/code\u003e or \u003ccode\u003e[char[]](...) -join ''\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated payload is executed directly in memory using techniques like \u003ccode\u003eiex\u003c/code\u003e (Invoke-Expression) or \u003ccode\u003eReflection.Assembly.Load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use techniques like \u003ccode\u003eWebClient\u003c/code\u003e to download files from a remote URL.\u003c/li\u003e\n\u003cli\u003eCommands like \u003ccode\u003enslookup -q=txt\u003c/code\u003e are used for command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eContinuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-susp-powershell-args/","summary":"This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.","title":"Suspicious Windows PowerShell Arguments Detected","url":"https://feed.craftedsignal.io/briefs/2024-09-susp-powershell-args/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["lolbas","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThe Windows command line debugging utility, cdb.exe, is a legitimate tool used for debugging applications. However, adversaries can exploit it to execute unauthorized commands or shellcode, bypassing security measures. This can be achieved by running cdb.exe from non-standard installation paths and using specific command-line arguments to execute malicious commands. The LOLBAS project documents this technique, highlighting its potential for defense evasion. This activity has been observed across various environments, necessitating detection strategies that focus on identifying anomalous executions of cdb.exe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies cdb.exe to a non-standard location (outside \u0026ldquo;Program Files\u0026rdquo; and \u0026ldquo;Program Files (x86)\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker executes cdb.exe with the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, or \u003ccode\u003e-pd\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eThese arguments are used to specify a command file or execute a direct command.\u003c/li\u003e\n\u003cli\u003eThe command file or command directly executes malicious code, such as shellcode.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as creating new processes, modifying files, or establishing network connections.\u003c/li\u003e\n\u003cli\u003eThese actions allow the attacker to maintain persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to evade defenses and execute arbitrary code on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute arbitrary commands and shellcode on the affected system, potentially leading to complete system compromise. This can result in data theft, installation of malware, or further propagation within the network. The technique is effective at bypassing application whitelisting and other security controls that rely on standard execution paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution via Windows Command Debugging Utility\u0026rdquo; to your SIEM to detect suspicious cdb.exe executions (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent execution of cdb.exe from non-standard paths.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, and \u003ccode\u003e-pd\u003c/code\u003e flags when cdb.exe is executed.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of cdb.exe running from unusual directories to determine legitimacy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-cdb-execution/","summary":"Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.","title":"Suspicious Execution via Windows Command Debugging Utility","url":"https://feed.craftedsignal.io/briefs/2024-07-cdb-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to Subject Interface Package (SIP) providers, a critical component of the Windows cryptographic system responsible for validating file signatures. Attackers may attempt to subvert trust controls by modifying SIP providers, allowing them to bypass signature validation checks and potentially inject malicious code into trusted processes. This activity is a form of defense evasion, allowing unauthorized code execution. The rule focuses on detecting suspicious registry changes associated with SIP providers, while excluding known benign processes to minimize false positives. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon. This activity is related to MITRE ATT\u0026amp;CK technique T1553.003 (SIP and Trust Provider Hijacking).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry keys associated with SIP providers, specifically targeting \u003ccode\u003eCryptSIPDllPutSignedDataMsg\u003c/code\u003e and \u003ccode\u003eTrust\\\\FinalPolicy\u003c/code\u003e locations.\u003c/li\u003e\n\u003cli\u003eThe attacker changes the \u003ccode\u003eDll\u003c/code\u003e value within these registry keys to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe system, upon attempting to validate a file signature, loads the malicious DLL instead of the legitimate SIP provider.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code, potentially injecting it into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the injected code to further compromise the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of SIP providers allows attackers to bypass signature validation checks, leading to the execution of unsigned or malicious code. This can compromise the integrity of the system, leading to data breaches, system instability, or further propagation of malware within the network. The impact can range from individual workstation compromise to widespread organizational damage, depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SIP Provider Modification via Registry\u003c/code\u003e to your SIEM and tune it for your environment to detect suspicious registry modifications related to SIP providers.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rules, focusing on the process responsible for the registry change and the DLL being loaded, as described in the rule\u0026rsquo;s triage section.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted code.\u003c/li\u003e\n\u003cli\u003eMonitor the registry paths listed in the Sigma rules for unexpected changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-sip-provider-modification/","summary":"This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.","title":"SIP Provider Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-sip-provider-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the modification of Discretionary Access Control Lists (DACLs) for Windows services using the \u003ccode\u003esc.exe\u003c/code\u003e utility. Attackers can leverage this technique to deny access to a service, making it unmanageable or hiding it from system administrators and users. The detection rule focuses on identifying instances where \u003ccode\u003esc.exe\u003c/code\u003e is used with the \u003ccode\u003esdset\u003c/code\u003e argument, specifically targeting the denial of access for key user groups such as IU, SU, BA, SY, and WD. This activity is indicative of a defense evasion attempt aimed at hindering security tools or preventing remediation. The rule is designed for data generated by Elastic Defend, but also supports integrations with third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, offering broad coverage for detecting this malicious behavior across diverse environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions to modify service configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003esdset\u003c/code\u003e command to modify the DACL of a targeted service.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esdset\u003c/code\u003e command arguments specify the new security descriptor, denying access to specific user groups (e.g., IU, SU, BA, SY, WD).\u003c/li\u003e\n\u003cli\u003eThe service becomes inaccessible to the targeted user groups, potentially disrupting legitimate operations or security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process for multiple services to further impair system functionality or evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled or hidden services to maintain persistence or carry out other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of service DACLs can lead to a denial-of-service condition for legitimate users and system administrators. This can impair the functionality of critical security tools, hinder incident response efforts, and provide attackers with a persistent foothold on the compromised system. The hiding of services can also prevent users from identifying and removing malicious services. While the number of victims is not specified in the source, organizations across various sectors are potentially vulnerable to this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eService DACL Modification via sc.exe\u003c/code\u003e to your SIEM to detect this specific behavior.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003esc.exe\u003c/code\u003e is used with the \u003ccode\u003esdset\u003c/code\u003e argument and access denial flags, focusing on the targeted user groups (IU, SU, BA, SY, WD).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitor for unauthorized attempts to modify service configurations.\u003c/li\u003e\n\u003cli\u003eRegularly audit service permissions to identify and remediate any unauthorized changes.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-service-dacl-modification/","summary":"Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.","title":"Service DACL Modification via sc.exe","url":"https://feed.craftedsignal.io/briefs/2024-07-service-dacl-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Sysmon","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike Falcon"],"_cs_severities":["medium"],"_cs_tags":["initial-access","rdp","phishing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\\Local\\Temp), and Outlook content cache (INetCache\\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email containing a malicious RDP file as an attachment.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the RDP file, initiating the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e attempts to establish a remote desktop connection based on the RDP file\u0026rsquo;s settings.\u003c/li\u003e\n\u003cli\u003eIf the connection is successful, the attacker gains unauthorized access to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker\u0026rsquo;s objectives and the scope of the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRemote Desktop File Opened from Suspicious Path\u003c/code\u003e to your SIEM and tune for your environment, focusing on the specified file paths and \u003ccode\u003emstsc.exe\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to capture the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e and the paths of the RDP files being opened.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.\u003c/li\u003e\n\u003cli\u003eImplement strict email filtering to block or quarantine emails with RDP attachments from external sources.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-rdp-file-attachment/","summary":"Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.","title":"Remote Desktop File Opened from Suspicious Path","url":"https://feed.craftedsignal.io/briefs/2024-11-rdp-file-attachment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["low"],"_cs_tags":["defense evasion","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Sysinternals SDelete utility is a legitimate tool developed by Microsoft for securely deleting files by overwriting and renaming them multiple times. While intended for secure data disposal, adversaries can abuse SDelete to remove forensic artifacts, destroy evidence of their activities, and impede data recovery efforts after a successful ransomware attack or data theft. This activity can be used as a post-exploitation technique. This detection rule focuses on identifying file name patterns indicative of SDelete\u0026rsquo;s operation, specifically detecting files with names resembling \u0026ldquo;*AAA.AAA\u0026rdquo;. The rule is designed to work with various endpoint detection and response solutions, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and CrowdStrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain the necessary permissions to delete files.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or utilizes an existing copy of the SDelete utility.\u003c/li\u003e\n\u003cli\u003eThe attacker executes SDelete against targeted files or directories.\u003c/li\u003e\n\u003cli\u003eSDelete overwrites the targeted file(s) multiple times with random data.\u003c/li\u003e\n\u003cli\u003eSDelete renames the file(s) multiple times, often with patterns such as \u0026ldquo;*AAA.AAA\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eSDelete deletes the file(s) making recovery difficult.\u003c/li\u003e\n\u003cli\u003eThe attacker removes SDelete or any associated tools to further cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can result in the permanent deletion of crucial forensic artifacts, log files, or even critical data. This can severely hinder incident response efforts, making it challenging to identify the scope of the attack, the attacker\u0026rsquo;s methods, and the compromised assets. The number of victims and affected sectors depends on the scale of the initial breach and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Secure File Deletion via SDelete Utility\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule, focusing on the process execution chain and identifying the user account involved.\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to the user account to ensure the least privilege principle is followed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to enhance visibility into file creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-28-sdelete-filename-rename/","summary":"This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.","title":"Potential Secure File Deletion via SDelete Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-28-sdelete-filename-rename/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","ntlm","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects a specific defense evasion technique where an attacker modifies the Windows registry to force a system to use the less secure NTLMv1 authentication protocol. This is known as a NetNTLMv1 downgrade attack. The registry modification involves changing the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value, which controls the authentication level. Attackers with local administrator privileges can perform this modification to weaken the authentication mechanism, making it easier to intercept and crack credentials. The rule is designed to detect this activity by monitoring registry events from various sources, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Crowdstrike. It is important to monitor for this activity as it can lead to credential theft and further compromise of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local administrator privileges on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a registry editor or command-line tool (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value in the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to one of the following registry paths: \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel\u003c/code\u003e or \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value to \u0026ldquo;0\u0026rdquo;, \u0026ldquo;1\u0026rdquo;, or \u0026ldquo;2\u0026rdquo; (or their hexadecimal equivalents \u0026ldquo;0x00000000\u0026rdquo;, \u0026ldquo;0x00000001\u0026rdquo;, \u0026ldquo;0x00000002\u0026rdquo;). These values force the system to use NTLMv1.\u003c/li\u003e\n\u003cli\u003eThe system now uses NTLMv1 for authentication attempts.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a man-in-the-middle attack to capture NTLMv1 authentication traffic using tools like Responder or Inveigh.\u003c/li\u003e\n\u003cli\u003eThe captured NTLMv1 hashes are cracked using brute-force or dictionary attacks, revealing the user\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to network resources or other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful NetNTLMv1 downgrade attack can lead to the compromise of user credentials, enabling attackers to move laterally within the network, access sensitive data, and potentially escalate privileges. The impact can range from data breaches to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the compromised user\u0026rsquo;s privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential NetNTLMv1 Downgrade Attack\u0026rdquo; to detect registry modifications setting \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to insecure values (0, 1, 2) within the specified registry paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview registry event logs for unauthorized modifications of \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to confirm legitimate administrative actions.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit local administrator privileges and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor the references URL for updates on recommended security configurations related to NTLM authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-netntlmv1-downgrade/","summary":"This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.","title":"Potential NetNTLMv1 Downgrade Attack via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-netntlmv1-downgrade/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Filtering Platform","elastic-agent","elastic-endpoint"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-filtering-platform","endpoint-security"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Bitdefender","VMware Carbon Black","Comodo","Vectra AI","Cybereason","Cylance","Elastic","ESET","Broadcom","Fortinet","Kaspersky","Malwarebytes","McAfee","Qualys","SentinelOne","Sophos","Symantec","Trend Micro","BeyondTrust","CrowdStrike","Splunk","Tanium"],"content_html":"\u003cp\u003eThe Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., leveraging the \u003ccode\u003enetsh\u003c/code\u003e command or custom WFP API calls) to create a new WFP filter.\u003c/li\u003e\n\u003cli\u003eThe WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., \u003ccode\u003eelastic-agent.exe\u003c/code\u003e, \u003ccode\u003esysmon.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system begins blocking network communication from the targeted security software.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker\u0026rsquo;s scope and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit WFP rules to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for systems authorized to modify WFP rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-wfp-evasion/","summary":"Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.","title":"Potential Evasion via Windows Filtering Platform Blocking Security Software","url":"https://feed.craftedsignal.io/briefs/2026-05-wfp-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["data-exfiltration","rclone","masquerading"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are leveraging Rclone, a legitimate command-line program to manage files on cloud storage, for malicious purposes. The primary abuse case involves renaming Rclone (e.g., to TrendFileSecurityCheck.exe) to evade detection based on process name. Once renamed, attackers use Rclone\u0026rsquo;s copy/sync functionalities with cloud backends like S3 or HTTP endpoints. They often employ \u003ccode\u003e--include\u003c/code\u003e filters to target specific sensitive file types for exfiltration. This activity is frequently blended with regular administrative traffic to further obfuscate the malicious intent. Defenders should be aware of this tactic, particularly when unusual processes are observed interacting with cloud storage services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an undisclosed method.\u003c/li\u003e\n\u003cli\u003eRclone is downloaded or transferred to the victim machine.\u003c/li\u003e\n\u003cli\u003eThe rclone executable is renamed to a benign-sounding name (e.g., TrendFileSecurityCheck.exe) to masquerade as a legitimate system utility.\u003c/li\u003e\n\u003cli\u003eThe attacker configures rclone to connect to a cloud storage backend (e.g., an S3 bucket or HTTP endpoint) controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eA command is executed using the renamed rclone executable, specifying the \u003ccode\u003ecopy\u003c/code\u003e or \u003ccode\u003esync\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe command includes \u003ccode\u003e--include\u003c/code\u003e flags to filter and select specific file types (e.g., documents, source code, databases) for exfiltration.\u003c/li\u003e\n\u003cli\u003eRclone transfers the targeted files from the victim machine to the attacker\u0026rsquo;s cloud storage backend, potentially using the \u003ccode\u003e--transfers\u003c/code\u003e option for faster exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the exfiltrated data from their cloud storage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exfiltration of sensitive data, including proprietary information, customer data, financial records, or intellectual property. The impact can range from reputational damage and financial losses to legal and regulatory repercussions. The scope of damage depends on the sensitivity and volume of the exfiltrated data, the number of affected systems, and the effectiveness of the attacker\u0026rsquo;s filtering criteria.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Rclone Usage\u003c/code\u003e to detect renamed rclone executables executing copy/sync commands.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary process execution data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any process identified by the Sigma rule \u003ccode\u003eSuspicious Rclone Usage\u003c/code\u003e by examining command-line arguments for cloud backend destinations and \u003ccode\u003e--include\u003c/code\u003e filters.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual outbound traffic to cloud storage providers (AWS S3, Azure Blob Storage, Google Cloud Storage) from processes other than approved backup solutions.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or renamed executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rclone-exfiltration/","summary":"Attackers are abusing the legitimate file synchronization tool rclone, often renamed to masquerade as legitimate software, to exfiltrate data to cloud storage or remote endpoints.","title":"Potential Data Exfiltration via Rclone","url":"https://feed.craftedsignal.io/briefs/2026-05-rclone-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["medium"],"_cs_tags":["account-takeover","credential-access","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies potential account takeover activity by analyzing Windows Security Event Logs for unusual login patterns. Specifically, it looks for user accounts that typically log in with high frequency from a single source IP address but then exhibit successful logins from a different source IP address with significantly lower frequency. This pattern may indicate that an attacker has compromised the account credentials and is accessing the network from a new, potentially malicious, location. This activity is detected by analyzing Windows Security Event ID 4624 events related to successful logins. The rule is designed to trigger when a user account logs in from a new IP address after establishing a pattern of high-volume logins from a primary IP address.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to valid user credentials through methods such as phishing, credential stuffing, or malware. (T1078)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Logon:\u003c/strong\u003e The attacker uses the compromised credentials to successfully log in to a Windows system from a new IP address (Event ID 4624, Logon Type Network/RemoteInteractive).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Possible):\u003c/strong\u003e Once authenticated, the attacker may attempt to move laterally within the network to access additional resources or systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Possible):\u003c/strong\u003e The attacker may attempt to escalate their privileges to gain administrative access to the system or domain (TA0004).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Possible):\u003c/strong\u003e The attacker may attempt to exfiltrate sensitive data from the compromised system or network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Possible):\u003c/strong\u003e The attacker may attempt to establish persistence mechanisms to maintain access to the system or network over time.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful account takeover can have significant consequences, including unauthorized access to sensitive data, lateral movement within the network, privilege escalation, and data exfiltration. The rule specifically looks for logon patterns indicative of account takeover. If an account is taken over, attackers could potentially gain access to systems and data the user has rights to access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM and tune for your environment, paying close attention to the \u003ccode\u003emax_logon\u003c/code\u003e threshold.\u003c/li\u003e\n\u003cli\u003eEnable Audit Logon within Windows to ensure the events needed for detection are available as mentioned in the setup instructions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by confirming with the account owner if they logged in from the new source IP.\u003c/li\u003e\n\u003cli\u003eCheck the new source IP for reputation, geography, and whether it is expected as described in the rule\u0026rsquo;s triage steps.\u003c/li\u003e\n\u003cli\u003eCorrelate any generated alerts with other alerts for the same user or source IP such as logon failures, password changes, or MFA changes as part of your investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-account-takeover-new-source-ip/","summary":"The rule identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP, potentially indicating account takeover or use of stolen credentials from a new location.","title":"Potential Account Takeover - Logon from New Source IP","url":"https://feed.craftedsignal.io/briefs/2024-01-account-takeover-new-source-ip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled (set to 1), allows remote connections from local members of the Administrators group to be granted full high-integrity tokens during negotiation. This bypasses User Account Control (UAC) restrictions, allowing for elevated privileges remotely. Attackers may modify this registry setting to facilitate lateral movement within a network. This rule detects modifications to this specific registry setting, alerting on potential unauthorized changes that could lead to defense evasion and privilege escalation. The modification of this policy has been observed being leveraged in conjunction with pass-the-hash attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains local administrator credentials on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the LocalAccountTokenFilterPolicy registry key to a value of 1. This is done to allow remote connections from local administrator accounts to receive high-integrity tokens. The registry key is typically located at \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a \u0026ldquo;pass the hash\u0026rdquo; attack (T1550.002) using the compromised local administrator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the \u0026ldquo;pass the hash\u0026rdquo; technique and the modified LocalAccountTokenFilterPolicy.\u003c/li\u003e\n\u003cli\u003eDue to the LocalAccountTokenFilterPolicy being enabled, the remote connection from the local administrator account receives a full high-integrity token.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses UAC on the remote system, gaining elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities on the remote system, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the LocalAccountTokenFilterPolicy allows attackers to bypass User Account Control (UAC) and gain elevated privileges on remote systems, potentially leading to unauthorized access to sensitive data, lateral movement across the network, and the deployment of ransomware. The overall impact can include data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized modifications to the LocalAccountTokenFilterPolicy registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the registry, which is required for the \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule query and ensure they are legitimate and necessary to prevent false positives.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e path, specifically looking for changes to the value data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-02-local-account-token-filter-policy-disabled/","summary":"Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.","title":"Local Account TokenFilter Policy Modification for Defense Evasion and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-02-local-account-token-filter-policy-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Sysmon","Visual Studio Code"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","vscode","remote-access-tools","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","GitHub","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the misuse of Visual Studio Code\u0026rsquo;s (VScode) remote tunnel feature to establish unauthorized access or control over systems. While the VScode remote tunnel feature is designed to allow developers to connect to remote environments seamlessly, attackers can abuse this functionality for malicious purposes. The rule specifically looks for the execution of the VScode portable binary with the \u0026ldquo;tunnel\u0026rdquo; command-line option, which is indicative of an attempt to establish a remote tunnel session to either GitHub or a remote VScode instance. Successful exploitation can lead to command and control capabilities, allowing attackers to remotely manage and compromise the affected system. The rule aims to detect this suspicious behavior by monitoring process execution and command-line arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads a portable version of Visual Studio Code (VScode) onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the VScode binary with the \u003ccode\u003etunnel\u003c/code\u003e command-line argument to initiate a remote tunnel session.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies additional arguments such as \u003ccode\u003e--accept-server-license-terms\u003c/code\u003e to bypass license agreement prompts.\u003c/li\u003e\n\u003cli\u003eThe VScode tunnel attempts to establish a connection to a remote server, potentially a GitHub repository or a remote VScode instance controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eIf successful, the tunnel creates a persistent connection, allowing the attacker to execute commands and transfer files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to remotely access the compromised system, enabling them to perform malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access through the established tunnel, allowing for long-term command and control of the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a persistent command and control channel, enabling them to remotely manage the compromised system. This can lead to data theft, deployment of ransomware, or further lateral movement within the network. While the number of potential victims and specific sectors targeted are not explicitly stated, the widespread use of VScode makes a wide range of organizations vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Attempt to Establish VScode Remote Tunnel\u0026rdquo; rule to detect suspicious VScode tunnel activity in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the rule, focusing on the command-line arguments and process behaviors to confirm malicious intent.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from VScode processes for unusual or unauthorized connections to external servers.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate uses of VScode\u0026rsquo;s tunnel feature by authorized developers to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-vscode-tunnel/","summary":"The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.","title":"Detection of VScode Remote Tunneling for Command and Control","url":"https://feed.craftedsignal.io/briefs/2024-09-vscode-tunnel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["execution","command-shell","rundll32"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly abuse RunDLL32, a legitimate Windows utility, to execute malicious code by hosting it within DLLs. This technique allows adversaries to launch command shells like cmd.exe or PowerShell, effectively bypassing traditional security controls. Defenders should be aware of this technique because it provides a stealthy way for attackers to execute arbitrary commands, potentially leading to further compromise of the system. This activity is detected by monitoring for command shells initiated by RunDLL32, while excluding known benign patterns to reduce false positives. The detection rule was last updated on 2026/05/04 and supports multiple data sources, including Elastic Defend, Microsoft Defender XDR, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses RunDLL32.exe to execute a malicious DLL.\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe loads the specified DLL into memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL contains code to execute a command shell (cmd.exe or powershell.exe).\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe spawns a command shell process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command shell to execute commands for reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the command shell to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command shell to perform lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the compromised system. While the rule is rated \u0026ldquo;low\u0026rdquo; severity, this initial access can lead to credential access (T1552) and further lateral movement within the network. Attackers can potentially gain full control of the system, leading to data theft, system disruption, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Command Shell Activity Started via RunDLL32\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview the process details of RunDLL32.exe to confirm the parent-child relationship with the command shell, helping to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring for rundll32.exe and related processes to detect similar activities in the future and improve response times.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rundll32-cmd-shell/","summary":"This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.","title":"Command Shell Activity Started via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2026-05-rundll32-cmd-shell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","sentinel_one_cloud_funnel","crowdstrike.fdr"],"_cs_severities":["high"],"_cs_tags":["container-escape","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule monitors for a specific sequence of commands on Linux systems that could indicate an attempt to escape a containerized environment. The attack involves first mounting a file system, typically targeting the host\u0026rsquo;s root file system, and then using the \u003ccode\u003echroot\u003c/code\u003e command to change the root directory. This combination, if successful, allows an attacker inside a container to gain unauthorized access to the host system. The rule is designed to identify this uncommon behavior pattern, which is a strong indicator of malicious activity. The rule is applicable to environments utilizing Elastic Defend, SentinelOne Cloud Funnel, and Crowdstrike FDR. The detection looks for this sequence occurring within a 5-minute timeframe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, possibly through exploiting a vulnerability or misconfiguration in the application running within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to mount the host\u0026rsquo;s root filesystem within the container using the \u003ccode\u003emount\u003c/code\u003e command, often targeting \u003ccode\u003e/dev/sd*\u003c/code\u003e devices. This requires sufficient privileges within the container, or the exploitation of a container escape vulnerability to gain such privileges.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emount\u003c/code\u003e command is executed with arguments specifying the device to mount and the mount point within the container\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes the \u003ccode\u003echroot\u003c/code\u003e command, changing the root directory of the current process to the mounted host\u0026rsquo;s root filesystem.\u003c/li\u003e\n\u003cli\u003eAfter successfully executing \u003ccode\u003echroot\u003c/code\u003e, the attacker\u0026rsquo;s perspective shifts to the host\u0026rsquo;s file system, allowing them to access and modify sensitive files and configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their newly acquired access to install backdoors, create new user accounts with elevated privileges, or modify system configurations to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to move laterally to other containers or systems within the network, leveraging their compromised position on the host.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain complete control over the host system and potentially the entire infrastructure, leading to data exfiltration, system disruption, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful container escape can have severe consequences, potentially leading to complete compromise of the host system and the data it contains. Depending on the environment, this could affect a single server or spread to many hosts. The compromise of containerized environments can lead to data breaches, service disruption, and reputational damage. Given the sensitive nature of data often processed within containers, the impact can range from financial losses to regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential container escapes.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect process data, and ensure Session View data is enabled to enhance visibility as mentioned in the setup guide.\u003c/li\u003e\n\u003cli\u003eReview and harden container configurations to minimize privileges granted to containerized processes, reducing the attack surface for escape attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential for lateral movement following a successful container escape.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for unusual mount and chroot command sequences within container environments using Elastic Defend, SentinelOne, and Crowdstrike logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:45:21Z","date_published":"2026-05-02T12:45:21Z","id":"/briefs/2024-01-chroot-container-escape/","summary":"The rule detects a potential chroot container escape via mount, which involves a user within a container mounting the host's root file system and using chroot to escape the containerized environment, indicating a privilege escalation attempt.","title":"Potential Chroot Container Escape via Mount","url":"https://feed.craftedsignal.io/briefs/2024-01-chroot-container-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["container-escape","privilege-escalation","linux","chroot"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies instances of the \u003ccode\u003echroot\u003c/code\u003e command being executed within a Linux containerized environment. It leverages process execution telemetry from Elastic Defend and Auditd Manager to detect potential container escape attempts. The rule focuses on processes where the name is \u003ccode\u003echroot\u003c/code\u003e or the command-line arguments contain \u003ccode\u003echroot\u003c/code\u003e. Container context is determined by identifying processes with a title matching \u003ccode\u003erunc init\u003c/code\u003e, a container workload entry leader, or \u003ccode\u003erunc\u003c/code\u003e as the parent process. Successful container escapes can allow attackers to gain unauthorized access to the host system. The technique is often combined with sensitive host mounts, which are then leveraged after the \u003ccode\u003echroot\u003c/code\u003e to access files and processes outside the container.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, potentially through exploiting a vulnerability in the containerized application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies sensitive host mounts within the container\u0026rsquo;s filesystem, such as \u003ccode\u003e/host\u003c/code\u003e, \u003ccode\u003e/proc/1/root\u003c/code\u003e, or other unexpected node paths.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003echroot\u003c/code\u003e command, specifying an alternate root filesystem, typically a host-linked mount.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echroot\u003c/code\u003e command redirects system calls to the new root filesystem, effectively isolating the attacker from the container\u0026rsquo;s original environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the new root filesystem to access files, directories, and processes on the host system outside the container\u0026rsquo;s boundaries.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to escalate privileges by exploiting vulnerabilities in host system services or binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker may install malware or establish persistence mechanisms on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised host system to pivot to other systems on the network or to exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful container escape can lead to full compromise of the underlying host system, potentially impacting all containers running on the same host. This can enable attackers to access sensitive data, disrupt services, and move laterally within the network. In multi-tenant environments, a container escape can compromise the security of other tenants sharing the same infrastructure. A single successful container escape can lead to a widespread breach impacting numerous systems and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eChroot Execution in Container Context\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process execution telemetry from Elastic Defend and Auditd Manager on Linux to ensure the required data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the \u003ccode\u003echroot\u003c/code\u003e execution was authorized and the target directory is an internal build root versus a host filesystem mount.\u003c/li\u003e\n\u003cli\u003eMonitor for follow-on shell execution, access to the container runtime socket, or kubelet credential paths, as these are common indicators of container escape attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:45:21Z","date_published":"2026-05-02T12:45:21Z","id":"/briefs/2026-05-chroot-container-escape/","summary":"Detects suspicious chroot execution within a Linux container context, potentially indicating a container escape attempt by pivoting to an alternate root filesystem.","title":"Chroot Execution in Container Context on Linux","url":"https://feed.craftedsignal.io/briefs/2026-05-chroot-container-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint Security"],"_cs_severities":["high"],"_cs_tags":["genai","credential-access","persistence","collection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging GenAI agents to automate the discovery and exfiltration of sensitive information, including credentials, API keys, and tokens stored within files on compromised systems. The observed activity involves GenAI tools accessing critical files such as cloud credentials, SSH keys, browser password databases, and shell configuration files. Successful exploitation allows attackers to harvest credentials, gain unauthorized access to systems, and establish persistence mechanisms for continued access. The GenAI tools mentioned include ollama, textgen, lmstudio, claude, cursor, copilot, codex, jan, gpt4all, gemini-cli, genaiscript, grok, qwen, koboldcpp, llama-server, windsurf, zed, opencode, and goose. This activity highlights the emerging threat landscape of AI-assisted attacks and the need for robust detection and mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a system through an unrelated vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eInstallation or execution of a GenAI tool (e.g., ollama, lmstudio) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool is configured or instructed to scan the file system for sensitive files.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool accesses files containing credentials, such as \u003ccode\u003e.aws/credentials\u003c/code\u003e, browser password databases (\u003ccode\u003eLogin Data\u003c/code\u003e, \u003ccode\u003ekey3.db\u003c/code\u003e), or SSH keys (\u003ccode\u003e.ssh/id_*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe GenAI tool exfiltrates the harvested credentials and API keys to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to cloud resources, internal systems, or other sensitive accounts.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool attempts to modify shell configuration files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e) to establish persistence.\u003c/li\u003e\n\u003cli\u003eUpon system restart or user login, the modified shell configuration executes malicious commands, granting the attacker persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this threat can lead to significant data breaches, unauthorized access to critical systems, and persistent compromise of affected environments. Attackers can leverage stolen credentials to escalate privileges, move laterally within the network, and exfiltrate sensitive data. The number of victims and sectors targeted are currently unknown, but the potential impact is widespread given the increasing adoption of GenAI tools in various industries. Credential theft leads to financial loss, intellectual property theft, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GenAI Process Accessing Sensitive Files\u0026rdquo; to your SIEM to detect GenAI tools accessing sensitive files on endpoints.\u003c/li\u003e\n\u003cli\u003eEnable file access monitoring on systems where GenAI tools are used to capture access events for analysis.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of GenAI tools within the environment, especially concerning access to sensitive file paths.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to shell configuration files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e) as an indicator of persistence attempts.\u003c/li\u003e\n\u003cli\u003eImplement regular credential rotation policies to minimize the impact of stolen credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T22:46:51Z","date_published":"2026-05-01T22:46:51Z","id":"/briefs/2024-12-15-genai-sensitive-file-access/","summary":"This threat brief details the detection of GenAI tools accessing sensitive files containing credentials, SSH keys, browser data, and shell configurations, indicating potential credential harvesting and persistence attempts by attackers leveraging GenAI agents.","title":"GenAI Tools Accessing Sensitive Files for Credential Access and Persistence","url":"https://feed.craftedsignal.io/briefs/2024-12-15-genai-sensitive-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","spn-spoofing","dns","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies a specific pattern in DNS queries indicative of Kerberos SPN spoofing, a technique used to coerce systems into authenticating to attacker-controlled hosts. The pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; represents a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers exploit this by crafting malicious DNS names to trick victim systems into requesting Kerberos tickets for legitimate services, often their own identity, but directed towards an attacker-controlled endpoint. This can lead to Kerberos relay or NTLM reflection/relay attacks, bypassing normal NTLM fallback mechanisms. The technique is associated with tools like RemoteKrbRelay and wspcoerce. This activity has been observed in various attacks targeting Windows environments where Kerberos authentication is prevalent. Defenders need to detect and mitigate this early stage of credential access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target Windows system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious server to receive coerced authentication requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DNS query containing a base64-encoded blob \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; representing a marshaled CREDENTIAL_TARGET_INFORMATION structure.\u003c/li\u003e\n\u003cli\u003eThe victim system, triggered by an external factor (e.g., RPC call, scheduled task, or web request), attempts to resolve the crafted DNS name.\u003c/li\u003e\n\u003cli\u003eThe malicious DNS query is sent to the DNS server, which resolves to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe victim system initiates a Kerberos authentication request to the attacker\u0026rsquo;s server, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server relays the Kerberos ticket or uses NTLM reflection/relay techniques to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the victim system or pivots to other systems within the network using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to credential compromise, lateral movement, and domain takeover. Victims in Active Directory environments are particularly vulnerable. The impact includes unauthorized access to sensitive data, disruption of services, and potential ransomware deployment. If the coerced service has high privileges, the attacker can gain complete control over the compromised system or even the entire domain. Organizations using Kerberos authentication are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Kerberos SPN Spoofing via Suspicious DNS Query\u0026rdquo; rule to your SIEM and tune for your environment to detect malicious DNS queries.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 - DNS Query logging to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any DNS queries resolving to external IPs that contain the \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; pattern.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes initiating DNS queries containing the suspicious pattern, specifically looking for known coercion tools.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of lateral movement if a system is compromised.\u003c/li\u003e\n\u003cli\u003eReview and harden Kerberos configurations to prevent SPN spoofing and relay attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T17:31:25Z","date_published":"2026-05-01T17:31:25Z","id":"/briefs/2024-10-kerberos-spn-spoofing-dns/","summary":"Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.","title":"Potential Kerberos SPN Spoofing via Suspicious DNS Query","url":"https://feed.craftedsignal.io/briefs/2024-10-kerberos-spn-spoofing-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","auditd"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential privilege escalation attempts on Linux systems by monitoring for processes with a root effective user ID (EUID) but a non-root real user ID (RUID), combined with the use of the \u003ccode\u003e-p\u003c/code\u003e flag (commonly used to preserve privileges in shells like bash or dash) and execution from a non-standard path (outside of \u003ccode\u003e/bin\u003c/code\u003e, \u003ccode\u003e/sbin\u003c/code\u003e, \u003ccode\u003e/usr/bin\u003c/code\u003e, etc.).  Attackers may copy or link setuid-capable shells or similar helpers into writable locations to regain a root context after local exploitation. This behavior is often associated with post-exploitation activities where attackers attempt to maintain or regain elevated privileges.  The rule relies on Auditd data to provide visibility into process execution events and user context. The original rule was published on 2026-04-24 by Elastic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system with limited privileges (e.g., through exploiting a vulnerability or using stolen credentials).\u003c/li\u003e\n\u003cli\u003eAttacker identifies a writable directory outside of standard system binary paths (e.g., \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker copies or creates a symbolic link to a setuid-capable shell (e.g., \u003ccode\u003e/bin/bash\u003c/code\u003e, \u003ccode\u003e/bin/dash\u003c/code\u003e) into the identified writable directory. This copied shell retains the setuid bit.\u003c/li\u003e\n\u003cli\u003eAttacker executes the copied or linked shell from the non-standard path with the \u003ccode\u003e-p\u003c/code\u003e flag (e.g., \u003ccode\u003e/tmp/bash -p\u003c/code\u003e). The \u003ccode\u003e-p\u003c/code\u003e flag instructs the shell to preserve privileges, effectively running with the effective user ID (EUID) of root.\u003c/li\u003e\n\u003cli\u003eAuditd logs this process execution event, capturing the non-standard path, the use of the \u003ccode\u003e-p\u003c/code\u003e flag, the root EUID, and the non-root RUID.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the process execution event based on the criteria outlined above.\u003c/li\u003e\n\u003cli\u003eAttacker now has a root shell and can perform administrative tasks, install malware, or further compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack can grant an attacker complete control over the compromised system. This allows them to access sensitive data, install malicious software, modify system configurations, and potentially pivot to other systems on the network. This can lead to data breaches, system downtime, and significant financial losses.  The risk score for this type of activity is considered high due to the potential for significant impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Root Effective Shell from Non-Standard Path via Auditd\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnsure that Auditd Manager or Auditbeat is properly configured to collect process execution events with relevant fields (\u003ccode\u003eevent.action\u003c/code\u003e, \u003ccode\u003euser.id\u003c/code\u003e, \u003ccode\u003euser.effective.id\u003c/code\u003e, \u003ccode\u003eprocess.args\u003c/code\u003e, and \u003ccode\u003eprocess.executable\u003c/code\u003e) as described in the rule setup to enable the rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by inspecting \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.args\u003c/code\u003e, \u003ccode\u003eprocess.parent\u003c/code\u003e, and the full command line reconstructed in audit logs.\u003c/li\u003e\n\u003cli\u003eRegularly audit all setuid binaries on the filesystem to identify any unauthorized or malicious setuid executables.\u003c/li\u003e\n\u003cli\u003eImplement access controls and file integrity monitoring to prevent unauthorized modification of system binaries and writable directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T09:51:29Z","date_published":"2026-05-01T09:51:29Z","id":"/briefs/2024-01-potential-root-effective-shell/","summary":"This rule identifies process execution events where the effective user is root while the real user is not, the process arguments include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside standard system binary directories, indicating potential privilege escalation.","title":"Potential Root Effective Shell from Non-Standard Path via Auditd","url":"https://feed.craftedsignal.io/briefs/2024-01-potential-root-effective-shell/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","vulnerability","cve-2026-31431"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eCVE-2026-31431, dubbed Copy Fail, is a Linux kernel vulnerability that allows an attacker to write controlled bytes into the page cache of a readable file by abusing the \u003ccode\u003eauthencesn\u003c/code\u003e AEAD path through AF_ALG and \u003ccode\u003esplice()\u003c/code\u003e. Public exploitation targets setuid-root binaries such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e, then executes the corrupted in-memory copy to gain root. The vulnerability lies in the shared host page cache, making container-originated activity a possible node-compromise attempt. This exploit leverages the AF_ALG interface, which, while uncommon for unprivileged users, may be used in specific environments like kernel crypto testing or HSM integrations. Defenders should prioritize patching vulnerable kernels and restricting AF_ALG socket creation for untrusted workloads to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user initiates multiple AF_ALG socket creation events (auditd.data.syscall == \u0026ldquo;socket\u0026rdquo; and auditd.data.a0 == \u0026ldquo;26\u0026rdquo;) or splice operations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the vulnerability to corrupt the page cache of a setuid-root binary, such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the targeted setuid-root binary (e.g., \u003ccode\u003e/usr/bin/su\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the corrupted page cache, the executed binary behaves in an unexpected manner, leading to a privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe process transitions to a root UID, indicating successful privilege escalation.\u003c/li\u003e\n\u003cli\u003eA root shell is spawned, providing the attacker with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions requiring root privileges, such as creating persistence mechanisms or accessing sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially compromises the entire host or node, especially in containerized environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to privilege escalation, allowing attackers to gain root access on the affected Linux system. This can result in complete system compromise, data exfiltration, and the ability to install malware or create persistent backdoors. In containerized environments, a compromised container can lead to node compromise, affecting other containers running on the same host. The vulnerability affects systems running vulnerable kernel versions, potentially impacting a wide range of servers and workstations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Socket Creation Burst\u0026rdquo; to detect initial exploitation attempts based on AF_ALG socket activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Privilege Escalation\u0026rdquo; to detect privilege escalation attempts by monitoring executed processes with an effective user ID of root.\u003c/li\u003e\n\u003cli\u003eImmediately patch the kernel with the vendor fix for CVE-2026-31431 to eliminate the underlying vulnerability.\u003c/li\u003e\n\u003cli\u003eUntil patching is possible, consider blocking \u003ccode\u003ealgif_aead\u003c/code\u003e module loading or restricting AF_ALG socket creation via seccomp for untrusted workloads.\u003c/li\u003e\n\u003cli\u003eAdd audit rules for \u003ccode\u003esocket\u003c/code\u003e, \u003ccode\u003esplice\u003c/code\u003e, and \u003ccode\u003ebind\u003c/code\u003e events as described in the rule\u0026rsquo;s Setup instructions to ensure comprehensive monitoring of AF_ALG related syscalls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T16:24:01Z","date_published":"2026-04-30T16:24:01Z","id":"/briefs/2024-01-cve-2026-31431-exploitation/","summary":"This rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.","title":"Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-31431-exploitation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Cloud"],"_cs_severities":["critical"],"_cs_tags":["Domain: Identity","Domain: LLM","Use Case: Threat Detection","Use Case: Identity and Access Audit","Resources: Investigation Guide","Rule Type: Higher-Order Rule"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis Elastic Security rule, designed for Elastic Cloud deployments 9.3.0 and later, leverages an Elastic Managed LLM to analyze correlated security alerts and identify potentially compromised user accounts. The rule aggregates alerts associated with a single user, examining patterns, MITRE ATT\u0026amp;CK tactic progression, unusual geographic locations, and multi-host activity. The LLM then provides a verdict (compromised, benign, or suspicious) and a confidence score. It aims to reduce analyst workload by surfacing users exhibiting indicators of credential theft or unauthorized access and is intended to be used in conjunction with other detection mechanisms to provide a higher-order analysis.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eMultiple security alerts are triggered across various data sources, such as endpoint activity, network traffic, and authentication logs.\u003c/li\u003e\n\u003cli\u003eAlerts are aggregated and correlated by user.name and user.id, filtering out system accounts and noisy rule types.\u003c/li\u003e\n\u003cli\u003eThe rule extracts key alert details, including rule names, threat tactics, techniques, affected hosts, source IPs, and event datasets.\u003c/li\u003e\n\u003cli\u003eAn alert summary is constructed, including the user\u0026rsquo;s name, email, number of alerts, distinct rules triggered, affected hosts, time window, and maximum risk score.\u003c/li\u003e\n\u003cli\u003eThe LLM analyzes the alert summary, considering multi-host activity, credential access alerts, unusual source IPs, and tactic progression.\u003c/li\u003e\n\u003cli\u003eThe LLM provides a verdict (TP, FP, or SUSPICIOUS), a confidence score, and a brief summary explaining the assessment.\u003c/li\u003e\n\u003cli\u003eThe rule filters results to surface only compromised or suspicious accounts with a confidence score above 0.7.\u003c/li\u003e\n\u003cli\u003eECS fields are mapped for timeline visibility and alert exclusion and the analyst is presented with a high-confidence alert.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using compromised credentials can lead to unauthorized access to sensitive data, lateral movement within the network, and potentially data exfiltration or ransomware deployment. This detection rule helps to quickly identify compromised user accounts, allowing security teams to respond promptly and prevent further damage. The rule reduces the amount of time analysts spend manually triaging alerts and helps them prioritize high-risk users based on an LLM\u0026rsquo;s assessment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that your Elastic Cloud deployment is running version 9.3.0 or later to leverage the ES|QL COMPLETION command with Elastic\u0026rsquo;s managed LLM.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eEsql.summary\u003c/code\u003e field in the generated alerts to understand the LLM\u0026rsquo;s assessment of why the user was flagged.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts where the \u003ccode\u003eEsql.confidence\u003c/code\u003e score is above 0.9, as these indicate strong indicators of compromise.\u003c/li\u003e\n\u003cli\u003eExamine the \u003ccode\u003eEsql.kibana_alert_rule_name_values\u003c/code\u003e and \u003ccode\u003eEsql.kibana_alert_rule_threat_tactic_name_values\u003c/code\u003e to understand which detection rules triggered and what MITRE ATT\u0026amp;CK tactics were observed.\u003c/li\u003e\n\u003cli\u003eUse the provided investigation steps in the rule\u0026rsquo;s note to conduct a thorough investigation, checking for unusual login times, locations, password resets, and MFA changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T17:17:03Z","date_published":"2026-04-28T17:17:03Z","id":"/briefs/2024-05-llm-compromised-user/","summary":"This rule correlates multiple security alerts involving the same user, analyzes them with an LLM, and flags potentially compromised accounts based on MITRE tactics, geographic anomalies, and multi-host activity, helping analysts prioritize users exhibiting indicators of credential theft or unauthorized access.","title":"LLM-Based Compromised User Triage","url":"https://feed.craftedsignal.io/briefs/2024-05-llm-compromised-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Windows Defender Application Control","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["wdac","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Defender Application Control (WDAC) to disable or weaken endpoint defenses. By crafting malicious WDAC policies, adversaries can block legitimate security software and evade detection. This technique involves creating WDAC policy files (.p7b or .cip) in protected system directories using unauthorized processes. The activity often occurs when attackers have already gained a foothold in the system and are attempting to solidify their position. Successful deployment of a malicious WDAC policy can significantly hinder incident response and allow malware to operate undetected. This tactic has gained traction since late 2024, with offensive tools like Krueger demonstrating the potential for weaponizing WDAC against EDR solutions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative access, which is required to modify WDAC policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Creation:\u003c/strong\u003e The attacker crafts a malicious WDAC policy using tools or scripts. This policy is designed to block specific security products or processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The malicious policy is staged in a temporary location on the system, often within user-writable directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Placement:\u003c/strong\u003e The attacker moves the malicious WDAC policy file (.p7b or .cip) to a protected system directory, such as \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e or \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e. The tool used may be a Living-off-the-Land Binary (LOLBin) or a custom .NET assembly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivation:\u003c/strong\u003e The attacker triggers the activation of the new WDAC policy, which often requires a system reboot or the use of a service control utility.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Once the policy is active, the targeted security products are blocked, allowing the attacker to operate with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Objectives:\u003c/strong\u003e With defenses weakened, the attacker can move laterally within the network, exfiltrate data, or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting WDAC can severely impair an organization\u0026rsquo;s ability to detect and respond to threats. By blocking security software, attackers can operate with impunity, leading to data breaches, financial losses, and reputational damage. Observed damage includes disabled endpoint detection and response (EDR) solutions, allowing ransomware and other malware to execute without interference. The scope of impact can range from individual workstations to entire domains, depending on the breadth of the WDAC policy deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;WDAC Policy File by an Unusual Process\u0026rdquo; Sigma rule to your SIEM to detect unauthorized WDAC policy modifications.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events with extensions .p7b and .cip in \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e directories, specifically filtering for processes other than \u003ccode\u003epoqexec.exe\u003c/code\u003e, \u003ccode\u003eTiWorker.exe\u003c/code\u003e, and \u003ccode\u003eomadmclient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture file creation events and provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on WDAC policy directories to prevent unauthorized modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-wdac-policy-evasion/","summary":"Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.","title":"WDAC Policy File Creation by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-11-wdac-policy-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","persistence","defense-evasion","suid","sgid"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe SUID (Set User ID) and SGID (Set Group ID) bits are file permission mechanisms in Unix-like operating systems that allow a program to be executed with the privileges of the file\u0026rsquo;s owner or group, respectively. While intended for legitimate purposes, such as allowing users to perform specific administrative tasks, they can be abused by attackers to escalate privileges. Attackers can exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. This detection focuses on identifying processes running with root privileges (UID/GID 0) but initiated by non-root users, flagging potential misuse of SUID/SGID permissions on Linux systems monitored by Elastic Defend. This can indicate an attacker attempting to exploit a misconfiguration in order to escalate their privileges to root, or establish a backdoor for persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system via some vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies binaries with SUID/SGID bits set.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a vulnerable SUID/SGID binary, such as \u003ccode\u003efind\u003c/code\u003e or \u003ccode\u003enmap\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe binary executes with root privileges, even though the attacker is a non-root user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to read sensitive files, modify system configurations, or install malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a new SUID/SGID binary or modifying an existing one.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID/SGID misconfigurations can lead to complete system compromise, as attackers gain root privileges. Attackers can install malware, steal sensitive data, or disrupt critical services. The impact can range from data breaches to denial-of-service attacks. Given the broad range of binaries potentially affected, this vulnerability can impact various sectors and potentially affect a large number of Linux systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003ePrivilege Escalation via SUID/SGID\u003c/code\u003e to your SIEM to detect potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to ensure the necessary process execution data is available.\u003c/li\u003e\n\u003cli\u003eRegularly audit SUID/SGID permissions across your Linux systems and remove unnecessary SUID/SGID bits.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by checking \u003ccode\u003eprocess.real_user.id\u003c/code\u003e and \u003ccode\u003eprocess.real_group.id\u003c/code\u003e to determine if non-root users initiated the process.\u003c/li\u003e\n\u003cli\u003eReview the process details, including \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.args\u003c/code\u003e, to understand the nature of the executed command and its intended function.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for suspicious activity around the time of the alert to identify any related actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-suid-sgid-privilege-escalation/","summary":"Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.","title":"Potential Privilege Escalation via SUID/SGID on Linux","url":"https://feed.craftedsignal.io/briefs/2024-11-suid-sgid-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Sysmon","Windows Installer"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","msiexec"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft"],"content_html":"\u003cp\u003eAdversaries may abuse the Windows Installer service (msiexec.exe) to proxy the execution of malicious payloads, effectively bypassing application control and other security mechanisms. This technique, known as \u0026ldquo;Msiexec\u0026rdquo; proxy execution (T1218.007), involves using msiexec.exe to execute malicious DLLs or scripts. The detection focuses on identifying child processes spawned by MsiExec, particularly those exhibiting network activity. This behavior is atypical for legitimate software installations and updates, making it a strong indicator of potential malicious use. Defenders should be aware of this technique as it allows attackers to blend in with legitimate system processes. The Elastic detection rule, updated on 2026-05-04, aims to identify this suspicious activity across multiple data sources including Elastic Defend, Sysmon, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eAttacker leverages msiexec.exe to execute a malicious MSI package with a \u003ccode\u003e/v\u003c/code\u003e parameter, commonly used to pass verbose logging options, potentially hiding malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSI package contains custom actions that execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process (e.g., powershell.exe, cmd.exe, or another executable) to carry out malicious actions.\u003c/li\u003e\n\u003cli\u003eThe child process establishes a network connection to an external server or performs DNS lookups, possibly for command and control (C2) communication or to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the network connection to download and execute further tools or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass application control and execute arbitrary code on the system. This can lead to malware installation, data theft, or complete system compromise. While the exact number of victims is not specified in the provided source, the technique can be applied across various sectors. The impact can range from individual workstation compromises to large-scale breaches affecting entire organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMsiExec Child Process with Unusual Executable and Network Connection\u003c/code\u003e to detect suspicious msiexec.exe child processes initiating network connections based on unusual executable paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and network connection logging (Event ID 3) to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process tree, command-line arguments, and network destinations.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations and automated deployment tools that use MsiExec and require network access to minimize false positives, as detailed in the \u0026ldquo;False positive analysis\u0026rdquo; section of the source material.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-msiexec-network-connection/","summary":"Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.","title":"MsiExec Child Process Spawning Network Connections for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-10-msiexec-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","hide-artifacts","alternate-data-stream"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the creation or execution of Alternate Data Streams (ADS) within the root directory of a volume on Windows systems. Attackers leverage this technique to conceal malicious tools or data, as ADSs created in this manner are not easily discoverable by standard system utilities. This method allows for the persistence and execution of malware while evading typical detection mechanisms. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel, providing broad coverage across different endpoint security solutions. Monitoring for ADS activity at the volume root is crucial to identify potential defense evasion attempts and hidden malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or program (e.g., PowerShell) to create a hidden ADS at the root of a volume (e.g., \u003ccode\u003eC:\\:evil.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe ADS is populated with malicious code, such as a reverse shell or malware payload.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool or script to execute the hidden ADS file. For example: \u003ccode\u003ewmic process call create \u0026quot;cmd.exe /c start C:\\:evil.exe\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the ADS executes, allowing the attacker to perform unauthorized actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hidden ADS to maintain persistence on the system, ensuring continued access even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker further leverages the compromised system to move laterally within the network, compromising additional systems and escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious tools and maintain persistence on compromised systems. The creation of ADSs at the volume root directory makes it difficult for administrators and security tools to detect the presence of malware. This can lead to prolonged compromise, data breaches, and significant disruption of business operations. The rule has a risk score of 47, and a medium severity is applied.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect ADS creation and execution at the volume root directory.\u003c/li\u003e\n\u003cli\u003eEnable logging for file creation events (Sysmon Event ID 11) and process creation events (Sysmon Event ID 1) for enhanced visibility into ADS activity.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules to determine the legitimacy of ADS creation or execution, focusing on processes and file paths that match the \u003ccode\u003e[A-Z]:\\\\:.+\u003c/code\u003e regex pattern in the rule query.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for hidden ADS files using specialized tools to uncover any potential malicious files.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications and prevent the creation of malicious ADSs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-08T12:00:00Z","date_published":"2024-07-08T12:00:00Z","id":"/briefs/2024-07-root-dir-ads-creation/","summary":"Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.","title":"Alternate Data Stream Creation/Execution at Volume Root Directory","url":"https://feed.craftedsignal.io/briefs/2024-07-root-dir-ads-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","execution","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe detection rule identifies the loading of unusual DLLs by the Windows DNS Server process (dns.exe), potentially indicating the abuse of the ServerLevelPluginDll functionality, as described in public research and proof-of-concept code. This technique allows attackers to load arbitrary DLLs into the DNS service, leading to privilege escalation and remote code execution with SYSTEM privileges. The rule focuses on detecting unsigned or untrusted DLLs loaded by dns.exe, highlighting potential exploitation attempts and unauthorized modifications to the DNS service. Successful exploitation grants the attacker elevated privileges, allowing them to perform malicious actions on the system. The rule is designed for data generated by Elastic Defend and supports Sysmon Event ID 7 (Image Loaded) as an additional data source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the DNS Server configuration to enable the loading of server-level plugin DLLs.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious, unsigned DLL in a location accessible to the DNS service.\u003c/li\u003e\n\u003cli\u003eThe DNS service (dns.exe) loads the malicious DLL upon startup or configuration change.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes code within the context of the DNS service, inheriting SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to perform malicious actions, such as installing backdoors or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious DLL is loaded on subsequent system restarts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code with SYSTEM privileges, granting them complete control over the compromised system. This can lead to data theft, system corruption, or the installation of persistent backdoors. The impact includes potential privilege escalation, remote code execution, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unsigned DLL loaded by DNS Service\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon Event ID 7 (Image Loaded) is enabled to provide the necessary data for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the DLL file path and code signature status.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the DNS server configuration to ensure that only trusted DLLs are loaded.\u003c/li\u003e\n\u003cli\u003eImplement code signing policies to prevent the loading of unsigned DLLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-unsigned-dns-dll-load/","summary":"The rule identifies the loading of unusual or unsigned DLLs by the DNS Server process, which can indicate exploitation of the ServerLevelPluginDll functionality, potentially leading to privilege escalation and remote code execution with SYSTEM privileges.","title":"Unsigned DLL Loaded by DNS Service","url":"https://feed.craftedsignal.io/briefs/2024-07-unsigned-dns-dll-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","wbadmin","ntds.dit"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the execution of \u003ccode\u003ewbadmin.exe\u003c/code\u003e with arguments indicative of an attempt to access and dump the NTDS.dit file from a Windows domain controller. Attackers with sufficient privileges, specifically those belonging to groups like Backup Operators, can abuse the legitimate \u003ccode\u003ewbadmin.exe\u003c/code\u003e utility to create a backup of the Active Directory database (NTDS.dit). This file contains sensitive credential information, and once obtained, attackers can extract password hashes and compromise the entire domain. This activity is often part of a larger attack aimed at gaining persistent access and control over the network. The Elastic detection rule was published on 2024-06-05 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target network. This may be achieved through phishing, exploiting vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain membership in the Backup Operators group or a similar privileged group capable of running backups.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003erecovery\u003c/code\u003e argument, targeting the NTDS.dit file. The command line includes parameters to create a system state backup.\u003c/li\u003e\n\u003cli\u003eWbadmin creates a backup of the system state, including the NTDS.dit file, in a specified location.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the NTDS.dit file from the backup location to a separate location for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003entdsutil.exe\u003c/code\u003e or \u003ccode\u003esecretsdump.py\u003c/code\u003e to extract password hashes from the NTDS.dit file.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the password hashes or uses them in pass-the-hash attacks to gain access to other systems and resources within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves domain dominance and persistence, allowing them to control critical systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to dump credentials from the NTDS.dit file, leading to complete compromise of the Active Directory domain. This enables them to move laterally, access sensitive data, and establish persistent control over the environment. The impact can include data breaches, ransomware deployment, and long-term disruption of business operations. The medium risk score indicates that while the attack requires specific privileges, the consequences are significant if successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution as described in the Attack Chain (Data Source: Windows Security Event Logs, Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution with NTDS.dit related arguments in your SIEM (Rule: NTDS Dump via Wbadmin).\u003c/li\u003e\n\u003cli\u003eMonitor and restrict membership in privileged groups like Backup Operators to minimize the risk of abuse (Reference: \u003ca href=\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\"\u003ehttps://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate backup schedules or disaster recovery processes to reduce false positives (False positive analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-ntds-dump-wbadmin/","summary":"Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.","title":"NTDS Dump via Wbadmin","url":"https://feed.craftedsignal.io/briefs/2024-07-ntds-dump-wbadmin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Management Console File","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may exploit Microsoft Management Console (MMC) by executing .msc files from non-standard directories to bypass security controls. This technique can be used for initial access and execution. This detection focuses on identifying the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from paths outside the typical system directories, which are generally considered trusted. By monitoring process executions and filtering out known legitimate paths, analysts can identify potentially malicious activity related to the misuse of MMC. The rule aims to detect deviations from standard administrative practices that could indicate unauthorized access or command execution via malicious or compromised \u003ccode\u003e.msc\u003c/code\u003e files. The detection logic specifically excludes executions from common directories like \u003ccode\u003eSystem32\u003c/code\u003e, \u003ccode\u003eSysWOW64\u003c/code\u003e, and \u003ccode\u003eProgram Files\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious \u003ccode\u003e.msc\u003c/code\u003e file in an unusual or untrusted directory (e.g., \u003ccode\u003eC:\\Users\\Public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emmc.exe\u003c/code\u003e with the malicious \u003ccode\u003e.msc\u003c/code\u003e file as an argument from the untrusted path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emmc.exe\u003c/code\u003e processes the \u003ccode\u003e.msc\u003c/code\u003e file, potentially executing embedded commands or scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.msc\u003c/code\u003e file performs unauthorized actions on the system, such as modifying system settings or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the execution context of \u003ccode\u003emmc.exe\u003c/code\u003e to bypass security controls and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating a scheduled task or modifying registry keys to execute the malicious \u003ccode\u003e.msc\u003c/code\u003e file automatically.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access, command execution, and privilege escalation, potentially compromising the entire system. While specific victim counts or sector targeting are not available, the technique is applicable across various Windows environments. The use of a trusted system binary like \u003ccode\u003emmc.exe\u003c/code\u003e for malicious purposes can evade traditional security measures, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eMicrosoft Management Console File from Unusual Path\u003c/code\u003e to detect the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from untrusted paths.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the origin and content of the \u003ccode\u003e.msc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of \u003ccode\u003e.msc\u003c/code\u003e files to authorized directories only.\u003c/li\u003e\n\u003cli\u003eReview and audit the use of MMC in the environment to identify any legitimate use cases that might trigger false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-mmc-untrusted-path/","summary":"Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.","title":"Microsoft Management Console File Execution from Unusual Path","url":"https://feed.craftedsignal.io/briefs/2024-07-mmc-untrusted-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Endgame","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe DNS Global Query Block List (GQBL) is a Windows security feature designed to prevent the resolution of specific DNS names, commonly exploited in attacks like WPAD spoofing. Attackers who have obtained elevated privileges, such as DNSAdmin, can modify or disable this list to bypass security controls. This allows exploitation of hosts running WPAD with default settings. The modification of the GQBL can be used for privilege escalation and lateral movement within a network. This rule detects changes to the registry values associated with the GQBL, specifically \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; and \u0026ldquo;GlobalQueryBlockList.\u0026rdquo; This activity could indicate an attacker attempting to weaken defenses to facilitate further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain DNSAdmin rights.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; registry value to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000,\u0026rdquo; effectively disabling the GQBL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u0026ldquo;GlobalQueryBlockList\u0026rdquo; registry value to remove \u0026ldquo;wpad\u0026rdquo; from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled GQBL to conduct WPAD spoofing attacks, redirecting network traffic to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker captures user credentials transmitted during WPAD authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or disabling of the DNS Global Query Block List can lead to WPAD spoofing attacks, credential theft, lateral movement, and ultimately, complete compromise of the network. Attackers can leverage this technique to gain unauthorized access to sensitive data or systems. The impact includes potential data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification of DNS Global Query Block List\u003c/code\u003e to your SIEM to detect unauthorized changes to the GQBL configuration.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary events for the Sigma rule to function (reference the logsource in the rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict DNSAdmin privileges to only necessary accounts to minimize the attack surface (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual DNS queries or WPAD-related activity, correlating with registry modification events (reference: Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eRegularly audit registry settings related to DNS configuration, including the GQBL, to identify unauthorized modifications (reference: Attack Chain steps 3 \u0026amp; 4).\u003c/li\u003e\n\u003cli\u003eUpdate security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List (reference: Impact section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-dns-gqbl-modified/","summary":"Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.","title":"DNS Global Query Block List Modified or Disabled","url":"https://feed.craftedsignal.io/briefs/2024-07-dns-gqbl-modified/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Endpoint Defense","Windows Defender Advanced Threat Protection","Symantec Endpoint Protection","Endpoint Security","AVDefender","Optics","Padvish AV"],"_cs_severities":["high"],"_cs_tags":["credential-access","regback","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Sophos","Microsoft","Trend Micro","Symantec","Bitdefender","N-able Technologies","Cylance","McAfee","Padvish"],"content_html":"\u003cp\u003eThis detection identifies suspicious attempts to access registry backup hives (SAM, SECURITY, and SYSTEM) located in the \u003ccode\u003eRegBack\u003c/code\u003e folder on Windows systems. These hives contain sensitive credential material, making them attractive targets for attackers seeking to compromise system security. The detection logic focuses on file access events, specifically successful file opens, while excluding known benign processes such as \u003ccode\u003etaskhostw.exe\u003c/code\u003e and various AV/EDR solutions (SophosScanCoordinator.exe, MsSense.exe, ccSvcHst.exe, etc.) to minimize false positives. The rule is designed to provide defenders with high-fidelity alerts when unauthorized access to these critical registry hives is detected. The scope includes any Windows system where endpoint file access logging is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, or \u003ccode\u003eSYSTEM\u003c/code\u003e registry hives located in the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a tool or script to open one or more of these registry hives. This could involve using built-in Windows utilities, scripting languages, or custom-developed tools.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully opens the \u003ccode\u003eSAM\u003c/code\u003e and \u003ccode\u003eSYSTEM\u003c/code\u003e hives, they can extract user account credentials, including usernames, password hashes, and other sensitive information. The \u003ccode\u003eSECURITY\u003c/code\u003e hive is also useful.\u003c/li\u003e\n\u003cli\u003eThe attacker may stage the registry hive files by copying them to a different location on the system for further analysis or exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools (e.g., Mimikatz, secretsdump.py) or custom scripts to extract credentials from the staged registry hives.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the extracted credentials to escalate privileges, move laterally within the network, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to gain unauthorized access to critical systems, steal sensitive data, or establish long-term persistence within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to the compromise of user account credentials, enabling attackers to escalate privileges, move laterally within the network, and gain unauthorized access to sensitive data. The impact can range from data breaches and financial losses to reputational damage and disruption of critical business operations. The number of victims can vary depending on the scope of the attacker\u0026rsquo;s activities and the security posture of the targeted organization. Sectors commonly targeted include finance, healthcare, government, and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable file access monitoring for the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory to capture file open events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Hive Access via RegBack\u003c/code\u003e to your SIEM and tune the exclusions based on your environment.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e events for unusual processes accessing files in \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e, using the rule \u003ccode\u003eSuspicious Process Accessing RegBack Hives\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging and file creation to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-02T12:00:00Z","date_published":"2024-07-02T12:00:00Z","id":"/briefs/2024-07-regback-hive-access/","summary":"This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.","title":"Suspicious Registry Hive Access via RegBack","url":"https://feed.craftedsignal.io/briefs/2024-07-regback-hive-access/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2024-1709"},{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","ScreenConnect"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","defense-evasion","execution","persistence","screenconnect"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of suspicious activities related to the ScreenConnect remote access tool. ScreenConnect is a legitimate remote support software, but adversaries can exploit it to execute unauthorized commands on compromised systems. This detection identifies suspicious child processes spawned by ScreenConnect client processes, such as \u003ccode\u003eScreenConnect.ClientService.exe\u003c/code\u003e or \u003ccode\u003eScreenConnect.WindowsClient.exe\u003c/code\u003e, which can indicate malicious activities such as spawning PowerShell or cmd.exe with unusual arguments. This activity can indicate potential abuse of remote access capabilities, leading to data exfiltration, command and control communication, or the establishment of persistence mechanisms. Recent exploitation of CVE-2024-1709 and CVE-2024-1708 have highlighted the risk associated with ScreenConnect exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a system with ScreenConnect installed. This could be achieved through exploiting vulnerabilities like CVE-2024-1709 and CVE-2024-1708, or through credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ScreenConnect to connect to the compromised system remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the ScreenConnect interface to execute commands on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker spawns a command interpreter, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, using ScreenConnect. This process is a child process of the ScreenConnect client process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecmd.exe\u003c/code\u003e to execute malicious commands, such as downloading and executing a malicious payload.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker spawns \u003ccode\u003epowershell.exe\u003c/code\u003e with encoded commands or commands to download and execute malicious payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e or creates a new service using \u003ccode\u003esc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003enet.exe\u003c/code\u003e to modify user accounts or privileges to maintain access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, installation of malware, and establishment of persistent access to the compromised system. This can result in data theft, disruption of services, and further lateral movement within the network. The number of victims and specific sectors targeted varies depending on the attacker\u0026rsquo;s objectives, but the impact can be significant for organizations relying on ScreenConnect for remote support.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious child processes spawned by ScreenConnect and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for ScreenConnect client processes spawning suspicious child processes like \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, \u003ccode\u003esc.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003essh.exe\u003c/code\u003e, \u003ccode\u003escp.exe\u003c/code\u003e, \u003ccode\u003ewevtutil.exe\u003c/code\u003e, \u003ccode\u003ewget.exe\u003c/code\u003e, or \u003ccode\u003ewmic.exe\u003c/code\u003e as detailed in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data to activate the rules above.\u003c/li\u003e\n\u003cli\u003eReview and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like \u003ccode\u003enet.exe\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-16T16:10:00Z","date_published":"2024-05-16T16:10:00Z","id":"/briefs/2024-05-screenconnect-child-process/","summary":"This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.","title":"Suspicious ScreenConnect Client Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-05-screenconnect-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eParent process PID spoofing is a defense evasion technique where a process is created with a parent process ID (PPID) that differs from its actual creator. This can be used to circumvent process monitoring tools that rely on accurate parent-child relationships. Adversaries may leverage this technique to disguise malicious processes as legitimate system processes or to elevate privileges by associating malicious activities with trusted processes. The technique involves manipulating process creation APIs to set an arbitrary PPID. The Elastic Defend integration is designed to capture the necessary process telemetry to detect these discrepancies. This activity matters because it can allow attackers to hide their actions and persist on compromised systems undetected. The referenced Elastic detection rule was last updated on 2026/04/30, demonstrating continued relevance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the Windows system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eAttacker executes a malicious process, such as a script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious process uses API calls (e.g., \u003ccode\u003eCreateProcess\u003c/code\u003e, \u003ccode\u003eNtCreateProcessEx\u003c/code\u003e) to spawn a new process.\u003c/li\u003e\n\u003cli\u003eDuring process creation, the attacker modifies the PPID parameter to spoof a legitimate parent process.\u003c/li\u003e\n\u003cli\u003eThe new process is launched with the spoofed PPID, appearing as a child of the chosen parent.\u003c/li\u003e\n\u003cli\u003eThe spoofed process executes malicious code, potentially downloading additional payloads or establishing command and control.\u003c/li\u003e\n\u003cli\u003eThe adversary leverages the trusted appearance of the spoofed process to evade detection by security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, lateral movement, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful parent process PID spoofing can allow attackers to evade detection and maintain persistence on a compromised system. This can lead to data breaches, system compromise, and financial loss. While the number of victims and specific sectors targeted are not specified in the provided source material, the technique is applicable across various sectors and organizations utilizing Windows-based systems. The lack of detection can lead to prolonged dwell time, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Process Creation with PPID Spoofing\u003c/code\u003e to your SIEM to identify potential parent process PID spoofing attempts based on process telemetry data.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation events with parent-child relationships using Elastic Defend to capture the necessary data for the provided rule.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by examining the process tree and verifying the legitimacy of parent-child relationships as outlined in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint detection and response (EDR) solutions to identify and block suspicious processes spawned by common exploitation vectors like Office applications and script hosts, as these are often associated with PPID spoofing.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule, specifically the \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.executable\u003c/code\u003e lists, to match your organization\u0026rsquo;s baseline and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-09T14:22:00Z","date_published":"2024-05-09T14:22:00Z","id":"/briefs/2024-05-parent-process-spoofing/","summary":"Adversaries use parent process PID spoofing to evade detection by creating processes with mismatched parent-child relationships, hindering process monitoring and potentially elevating privileges on Windows systems.","title":"Windows Parent Process PID Spoofing Detection","url":"https://feed.craftedsignal.io/briefs/2024-05-parent-process-spoofing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Copilot","Cursor","GPT4All","Jan","LM Studio","Ollama","Windsurf","bunx","codex","claude","deno","gemini-cli","genaiscript","grok","koboldcpp","llama-cli","llama-server","npx","pnpm","qwen","textgen","yarn","Confluence Data Center"],"_cs_severities":["medium"],"_cs_tags":["genai","command and control","macos","network connection"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Atlassian","GitHub"],"content_html":"\u003cp\u003eThis threat brief addresses the risk of GenAI tools on macOS connecting to unusual domains, which may indicate a compromised state. Attackers can exploit GenAI tools through prompt injection, malicious MCP (Model Context Protocol) servers, or poisoned plugins to establish command-and-control (C2) channels or exfiltrate sensitive data. Given the network access capabilities of AI agents, adversaries may manipulate them to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. The Elastic detection rule \u003ccode\u003e9050506c-df6d-4bdf-bc82-fcad0ef1e8c1\u003c/code\u003e focuses on identifying such anomalous network connections originating from a predefined list of GenAI processes, excluding known legitimate domains. The rule has been actively maintained since its creation on December 4, 2025, with its latest update on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary compromises a GenAI tool on a macOS system through prompt injection, malicious MCP servers, or poisoned plugins.\u003c/li\u003e\n\u003cli\u003eThe compromised GenAI tool is configured to connect to an attacker-controlled domain for C2.\u003c/li\u003e\n\u003cli\u003eThe GenAI process initiates a network connection attempt to the unusual domain using standard web protocols (HTTP/HTTPS).\u003c/li\u003e\n\u003cli\u003eThe macOS system\u0026rsquo;s network stack resolves the attacker\u0026rsquo;s domain to its corresponding IP address.\u003c/li\u003e\n\u003cli\u003eThe GenAI process sends data to the attacker-controlled domain, potentially including sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised GenAI tool.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool executes the commands, potentially leading to further compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised GenAI tools can lead to data exfiltration, unauthorized access to sensitive information, and the establishment of persistent C2 channels within an organization\u0026rsquo;s network. The impact ranges from the loss of intellectual property and customer data to the potential disruption of business operations. The risk is amplified if the GenAI tool has access to internal systems or sensitive data stores, allowing attackers to pivot and escalate their attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GenAI Process Connecting to Unusual Domain\u0026rdquo; to your SIEM and tune for your environment (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation and network connection logging on macOS endpoints to collect the data required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the domain and the GenAI process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eBlock any identified malicious domains at the network level (see query in the provided source).\u003c/li\u003e\n\u003cli\u003eReview the GenAI tool\u0026rsquo;s configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.\u003c/li\u003e\n\u003cli\u003eRegularly update the list of allowed domains in the Sigma rule\u0026rsquo;s filter to account for legitimate updates to GenAI tool infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T14:22:30Z","date_published":"2024-05-02T14:22:30Z","id":"/briefs/2024-05-genai-unusual-domain/","summary":"This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.","title":"GenAI Process Connection to Unusual Domain on macOS","url":"https://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Microsoft Teams","Google Chrome","Mozilla Firefox","Opera","Cisco WebEx","Discord","WhatsApp","Zoom","Brave Browser","Slack","thunderbird.exe"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft","Google","Mozilla","Opera","Cisco","Discord","WhatsApp","Zoom","Brave"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches a communication application (e.g., Slack, Teams, Webex).\u003c/li\u003e\n\u003cli\u003eThe communication application executes a vulnerable or compromised component.\u003c/li\u003e\n\u003cli\u003eThe compromised component spawns a child process (e.g., powershell.exe, cmd.exe).\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or script.\u003c/li\u003e\n\u003cli\u003eThe script attempts to download additional payloads from an external source.\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the system.\u003c/li\u003e\n\u003cli\u003eData exfiltration or lateral movement within the network occurs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization\u0026rsquo;s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker\u0026rsquo;s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Communication App Child Process\u003c/code\u003e to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e, product: \u003ccode\u003ewindows\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eEnsure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eExamine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-suspicious-comm-app-child-process/","summary":"The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.","title":"Suspicious Child Processes from Communication Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eNetwork Level Authentication (NLA) is a security feature in Windows that requires users to authenticate before establishing a full RDP session, adding an extra layer of protection against unauthorized access. Attackers might attempt to disable NLA to gain access to the Windows sign-in screen without proper authentication. This tactic can facilitate the deployment of persistence mechanisms, such as leveraging Accessibility Features like Sticky Keys, or enable unauthorized remote access. This brief addresses the registry modifications associated with disabling NLA and provides detection strategies to identify such attempts. The references indicate that this technique is used in conjunction with other attacks for lateral movement within a compromised network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system is gained (potentially via compromised credentials or vulnerability exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to modify system-level settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\u003c/code\u003e to disable NLA.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUserAuthentication\u003c/code\u003e value is set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish an RDP connection to the compromised system.\u003c/li\u003e\n\u003cli\u003eDue to the disabled NLA, the attacker bypasses the initial authentication screen.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages accessibility features (e.g., Sticky Keys) for persistence or further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of NLA allows attackers to bypass authentication and gain unauthorized access to systems via RDP. This can lead to data theft, malware installation, or further lateral movement within the network. While the exact number of victims and sectors targeted are unspecified, the potential impact includes significant data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation and registry event logging to detect the registry modifications (Elastic Defend, Elastic Endgame, Microsoft Defender XDR, SentinelOne, Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to modify the \u003ccode\u003eUserAuthentication\u003c/code\u003e registry key (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eReview and harden RDP configurations across the environment to prevent unauthorized access (Microsoft documentation).\u003c/li\u003e\n\u003cli\u003eMonitor endpoint security policies to detect unauthorized registry modifications (Endpoint Security Policies).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-disable-nla/","summary":"Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.","title":"Network-Level Authentication (NLA) Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-nla/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["high"],"_cs_tags":["credential-access","netsh","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often target wireless credentials to gain unauthorized network access. This involves using the legitimate Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to extract Wi-Fi passwords stored on a compromised system. By leveraging \u003ccode\u003enetsh\u003c/code\u003e, attackers can bypass traditional security measures and retrieve sensitive information without deploying custom malware. The technique involves specific command-line arguments that instruct \u003ccode\u003enetsh\u003c/code\u003e to display wireless keys in cleartext, exposing the network passwords. Defenders must monitor \u003ccode\u003enetsh\u003c/code\u003e command-line activity to identify potential credential access attempts. This activity can lead to lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to list available wireless profiles.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target wireless profile from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e again, this time specifying the target profile and requesting the key to be displayed in cleartext using the \u003ccode\u003ekey=clear\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNetsh.exe\u003c/code\u003e retrieves the Wi-Fi password from the Windows Wireless LAN service.\u003c/li\u003e\n\u003cli\u003eThe password is displayed in the command output, which the attacker captures.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained Wi-Fi password to connect to the wireless network.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform lateral movement and access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential dumping allows attackers to gain unauthorized access to wireless networks. This can lead to lateral movement within the organization\u0026rsquo;s network, access to sensitive data, and further compromise of systems and resources. The impact includes potential data breaches, financial losses, and reputational damage. This technique allows attackers to bypass traditional network access controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Wireless Credential Dumping via Netsh\u003c/code\u003e to identify suspicious \u003ccode\u003enetsh.exe\u003c/code\u003e commands in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003enetsh.exe\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process lineage and user context as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies for Wi-Fi networks, including the use of WPA2 or WPA3 encryption.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e on systems where it is not required, using application control solutions.\u003c/li\u003e\n\u003cli\u003eMonitor for related alerts indicating lateral movement, staging, remote access, or persistence, as mentioned in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wireless-creds-dumping/","summary":"Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.","title":"Wireless Credential Dumping via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wireless-creds-dumping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can try to cover their tracks by clearing the PowerShell console history on Windows systems. PowerShell offers multiple ways to log commands, including the built-in history and the command history managed by the PSReadLine module. This activity is often part of post-compromise behavior aimed at evading detection and forensic analysis. This rule detects the execution of specific commands that clear the built-in PowerShell logs or delete the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file. The rule focuses on PowerShell activity and covers scenarios where commands like Clear-History, Remove-Item, rm, and Set-PSReadlineOption are used to manipulate command history.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unspecified method, potentially exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to perform reconnaissance and other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to clear the PowerShell command history using the \u003ccode\u003eClear-History\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker attempts to remove the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file using \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e, which stores the PSReadLine command history.\u003c/li\u003e\n\u003cli\u003eAnother method involves using the \u003ccode\u003eSet-PSReadlineOption\u003c/code\u003e cmdlet with the \u003ccode\u003eSaveNothing\u003c/code\u003e parameter to prevent the saving of future command history.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage other tools and techniques to further obscure their activities and maintain persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network to increase their impact.\u003c/li\u003e\n\u003cli\u003eThe final objective is data exfiltration, deployment of ransomware, or other malicious activities, all while attempting to evade detection by clearing logs and command history.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of console history hinders forensic investigations and incident response efforts. If command history is cleared, administrators will have difficulty reconstructing the attacker\u0026rsquo;s actions and identifying the extent of the compromise. This can lead to prolonged incident response times, increased damage, and potential for further exploitation of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Clearing PowerShell History\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003eClear-History\u003c/code\u003e cmdlet, potentially indicating an attempt to remove command history.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Removal of PowerShell History File\u003c/code\u003e to detect the use of \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e command against the PowerShell history file.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and auditing policies to ensure adequate visibility into PowerShell activity as described in the \u003ca href=\"https://ela.st/audit-process-creation\"\u003esetup instructions\u003c/a\u003e to improve detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-clearing-console-history/","summary":"Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.","title":"Windows Console History Clearing","url":"https://feed.craftedsignal.io/briefs/2024-01-30-clearing-console-history/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers often attempt to modify file or directory ownership to bypass access controls and gain unauthorized access to sensitive data or system resources. This involves altering permissions associated with critical files or directories, granting broader access to accounts under attacker control or resetting permissions to default values which might be more permissive. This defense evasion technique can be used to establish persistence, escalate privileges, or exfiltrate data without triggering standard security alerts. The common tools used include \u003ccode\u003eicacls.exe\u003c/code\u003e and \u003ccode\u003etakeown.exe\u003c/code\u003e, typically targeting files within the \u003ccode\u003eC:\\Windows\\\u003c/code\u003e directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an existing compromised account or vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003etakeown.exe /f \u0026lt;file\u0026gt;\u003c/code\u003e to take ownership of a target file or directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eicacls.exe \u0026lt;file\u0026gt; /reset\u003c/code\u003e to reset the ACL of the file or directory.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses \u003ccode\u003eicacls.exe \u0026lt;file\u0026gt; /grant Everyone:F\u003c/code\u003e to grant full control to everyone, weakening security.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the contents of the file, such as injecting malicious code or configuration changes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified file for persistence, such as a modified system DLL loaded at boot.\u003c/li\u003e\n\u003cli\u003eThe system executes the malicious code when the compromised file is accessed or executed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as maintaining persistence, escalating privileges, or executing arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising file and directory permissions can lead to significant security breaches. Successful attacks can allow unauthorized access to sensitive data, system instability, or the execution of malicious code with elevated privileges. This can affect any Windows environment where file permissions are improperly managed, with potential for widespread system compromise and data exfiltration. The impact is most severe on systems containing sensitive data or critical infrastructure components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003eicacls.exe\u003c/code\u003e and \u003ccode\u003etakeown.exe\u003c/code\u003e with suspicious arguments targeting system files (e.g., \u003ccode\u003eC:\\Windows\\*\u003c/code\u003e) to detect potential permission modification attempts using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Windows Security Auditing for file system changes to capture events related to permission modifications and ownership changes.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment, specifically focusing on processes modifying permissions on files within the \u003ccode\u003eC:\\Windows\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process execution chain and the target files being modified.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-system-file-ownership-change/","summary":"Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files, often using icacls.exe or takeown.exe to reset permissions on system files.","title":"System File Ownership Change for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-system-file-ownership-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["account-takeover","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies a user account, often a service account, that typically logs in with high volume using a specific logon type but suddenly shows successful logons using a different logon type with low count. This anomalous behavior may signal account takeover or the use of stolen credentials from a new context, such as an interactive or network logon when only batch/service logons were expected. This is critical for defenders as compromised service accounts can lead to privilege escalation and lateral movement within the network. The detection logic is based on Windows Security Event Logs (Event ID 4624).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains access to a valid user account\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eCredential Compromise: The attacker compromises a service account\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker attempts to move laterally within the network using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eAuthentication: The attacker uses the stolen credentials to authenticate to a system using a previously unseen logon type.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker leverages the service account permissions to escalate privileges.\u003c/li\u003e\n\u003cli\u003eResource Access: The attacker accesses sensitive resources using the compromised account.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful account takeover can lead to significant damage, including data breaches, privilege escalation, and lateral movement within the network. If a service account is compromised, attackers can gain access to sensitive systems and data, potentially affecting hundreds or thousands of users or systems. The shift in logon types often goes unnoticed, enabling attackers to maintain persistence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary events for detection (reference: Setup section in content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Account Takeover - Mixed Logon Types\u0026rdquo; to your SIEM and tune the thresholds (max_logon, min_logon) based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by confirming with the account owner or service owner whether the additional logon type is expected (reference: Investigation Guide section).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, including service accounts, to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-mixed-logon-types/","summary":"A Windows account, usually a service account, exhibiting a sudden shift in logon type patterns may indicate account compromise and lateral movement.","title":"Potential Account Takeover via Mixed Logon Types","url":"https://feed.craftedsignal.io/briefs/2024-01-mixed-logon-types/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","windows","netsh","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e utility in Windows supports the addition of Helper DLLs to extend its functionality. An attacker can abuse this mechanism to establish persistence by adding a malicious DLL. When \u003ccode\u003enetsh.exe\u003c/code\u003e is executed, the malicious DLL is loaded and executed, allowing the attacker to run arbitrary code with the privileges of the user or process that initiated \u003ccode\u003enetsh.exe\u003c/code\u003e. This can be done by administrators or scheduled tasks, making it a stealthy and effective persistence technique. The registry key targeted by this technique is \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious DLL to be used as a Netsh Helper DLL.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the Windows Registry to add the malicious DLL as a Netsh Helper DLL under \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system administrator or a scheduled task executes \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e loads and executes the malicious DLL, granting the attacker code execution.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing a reverse shell or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the malicious Netsh Helper DLL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. While the risk score is low, the persistence mechanism can allow attackers to maintain a foothold for extended periods, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications under the \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e path for suspicious DLL additions using the \u0026ldquo;Netsh Helper DLL Registry Modification\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the DLL file properties, timestamps, and related processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-netsh-helper-dll/","summary":"Attackers may abuse the Netsh Helper DLL functionality by adding malicious DLLs to execute payloads every time the netsh utility is executed via administrators or scheduled tasks, achieving persistence.","title":"Netsh Helper DLL Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-helper-dll/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to load expired or revoked drivers to bypass security controls and execute code in kernel mode. This technique can be used for privilege escalation or defense evasion. The loading of such drivers, especially by the System process (PID 4), is a strong indicator of malicious activity. The referenced Elastic detection rule, last updated on May 4, 2026, aims to identify such attempts by monitoring the code signature status of loaded drivers on Windows systems. The rule focuses on identifying drivers with \u0026ldquo;errorExpired\u0026rdquo; or \u0026ldquo;errorRevoked\u0026rdquo; status, providing defenders with a means to detect potentially malicious activity related to driver manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through social engineering or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains or creates a malicious driver signed with an expired or revoked certificate, or an outdated driver with known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to load the malicious driver onto the targeted Windows system.\u003c/li\u003e\n\u003cli\u003eThe Windows operating system attempts to verify the driver\u0026rsquo;s code signature.\u003c/li\u003e\n\u003cli\u003eThe code signature verification fails due to the driver\u0026rsquo;s expired or revoked certificate.\u003c/li\u003e\n\u003cli\u003eDespite the signature failure, the attacker attempts to force the system to load the driver, possibly by exploiting a bypass or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe driver is loaded into kernel mode, granting the attacker elevated privileges and control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised driver to execute malicious code, escalate privileges, or evade security defenses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the loading of an expired or revoked driver can lead to complete system compromise. An attacker could gain unauthorized access to sensitive data, install malware, or disrupt critical services. The consequences range from data breaches to system instability and loss of integrity. The Elastic detection rule aims to detect these attempts before significant damage can occur.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect instances of expired or revoked drivers being loaded (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy and potential risk associated with the loaded driver (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eEnable endpoint detection and response (EDR) solutions like Elastic Defend to enhance visibility into driver loading events (reference: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eRegularly update driver blocklists to prevent the loading of known malicious or vulnerable drivers (reference: References URL).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual driver loading activity, particularly by the System process (PID 4) (reference: Sigma rule, process.pid == 4).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-expired-driver-load/","summary":"An expired or revoked driver being loaded on a Windows system may indicate an attempt to gain code execution in kernel mode or abuse revoked certificates for malicious purposes, potentially leading to privilege escalation or defense evasion.","title":"Expired or Revoked Driver Loaded","url":"https://feed.craftedsignal.io/briefs/2024-01-expired-driver-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","command-and-control","windows","msxsl"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eMsXsl.exe is a Windows utility designed to transform XML data using XSLT stylesheets. Adversaries are known to abuse this utility to execute malicious scripts, bypassing application control and other security measures. This behavior is often used as a defense evasion technique to download or execute malicious payloads. This activity has been observed since at least March 2020. The abuse of msxsl.exe allows attackers to establish command and control or exfiltrate sensitive data without being easily detected, as the tool is a signed Microsoft binary. This matters for defenders because it highlights the need to monitor legitimate system utilities for anomalous behavior, specifically network connections to external IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msxsl.exe to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eMsxsl.exe initiates a network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe script downloads a malicious payload from the external server.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a command and control channel through the network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker performs data exfiltration via the established C2 channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be used for further malicious activities, including data theft, lateral movement, and deployment of additional malware. Successful exploitation can lead to sensitive data exfiltration, disruption of services, or complete system compromise. The low risk score does not represent impact, but instead reflects that the behavior is not always malicious, and may be a feature of normal software operation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon network connection logging to monitor msxsl.exe network activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Network Connection via MsXsl\u0026rdquo; to your SIEM and tune for your environment to detect suspicious network connections originating from msxsl.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the destination IP address and the parent process of msxsl.exe.\u003c/li\u003e\n\u003cli\u003eWhitelist legitimate uses of msxsl.exe in your environment based on known good processes or applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T10:00:00Z","date_published":"2024-01-30T10:00:00Z","id":"/briefs/2024-01-msxsl-network-connection/","summary":"Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.","title":"MsXsl.exe Network Connection for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-msxsl-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","vaultcmd"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may abuse the Windows Credential Manager to list or dump credentials stored within. This allows for the exfiltration of saved usernames and passwords. The tool vaultcmd.exe can be used to interact with the Credential Manager and list the stored credentials. This activity is often performed in preparation for lateral movement within a compromised network. This detection focuses on identifying instances where vaultcmd.exe is executed with the \u003ccode\u003e/list*\u003c/code\u003e argument, indicating an attempt to enumerate stored credentials. The detection rule is designed to identify abuse of vaultcmd for credential access, enabling defenders to detect unauthorized credential access activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003evaultcmd.exe\u003c/code\u003e with the \u003ccode\u003e/list\u003c/code\u003e argument to enumerate the credentials stored in the Windows Credential Manager.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evaultcmd.exe\u003c/code\u003e process accesses the Credential Manager to retrieve the list of saved credentials.\u003c/li\u003e\n\u003cli\u003eThe output of \u003ccode\u003evaultcmd.exe\u003c/code\u003e (the list of credentials) is captured or redirected to a file for later exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output to identify valuable credentials, such as domain administrator accounts or service accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired credentials to authenticate to other systems on the network (lateral movement).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges on the target systems.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack chain can lead to unauthorized access to sensitive resources, lateral movement within the network, and ultimately, data theft, system compromise, or ransomware deployment. A compromised user account can grant the attacker access to internal systems, confidential data, and critical infrastructure. If the attacker gains domain administrator credentials, they can compromise the entire Windows domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003evaultcmd.exe\u003c/code\u003e being executed with the \u003ccode\u003e/list*\u003c/code\u003e argument (Data Source: Windows Security Event Logs, Sysmon, Microsoft Defender XDR, SentinelOne, Crowdstrike).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect VaultCmd Credential Listing\u0026rdquo; to your SIEM to identify potential credential access attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003evaultcmd.exe\u003c/code\u003e being executed with the \u003ccode\u003e/list*\u003c/code\u003e argument to determine the legitimacy of the activity.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-vaultcmd-credential-access/","summary":"Adversaries may use vaultcmd.exe to list credentials stored in the Windows Credential Manager to gain unauthorized access to saved usernames and passwords, potentially in preparation for lateral movement.","title":"VaultCmd Usage for Listing Windows Credentials","url":"https://feed.craftedsignal.io/briefs/2024-01-29-vaultcmd-credential-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Elastic Endgame","Sysmon Event ID 11 - File Create"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","managed code","lolbin"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies suspicious managed code hosting processes on Windows systems. Attackers may leverage processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003esvchost.exe\u003c/code\u003e, \u003ccode\u003edllhost.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, and \u003ccode\u003eregsvr32.exe\u003c/code\u003e to execute malicious code, often bypassing traditional security controls. These processes can be abused to load and execute .NET assemblies or other managed code components. The detection focuses on identifying unusual file creation events associated with these processes which could indicate an attacker is attempting to leverage these processes for malicious purposes. This activity might be indicative of code injection, defense evasion, or other suspicious code execution techniques. The rule uses EQL to search for file events associated with specific processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a phishing email or compromised software.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a LOLBin such as \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to bypass application control.\u003c/li\u003e\n\u003cli\u003eThe LOLBin executes a malicious script or loads a malicious DLL from a user-writable location.\u003c/li\u003e\n\u003cli\u003eThe malicious script or DLL performs reconnaissance activities, such as gathering system information or enumerating network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker then attempts to escalate privileges by exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised process to download and execute additional malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system through scheduled tasks or registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network, compromising additional systems and exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal sensitive data, and establish persistence. The use of LOLBins can bypass application control, making detection more challenging. Depending on the scope of the attack, this could result in significant financial losses, reputational damage, and disruption of business operations. This is a high-severity finding due to the potential for attackers to gain full control over affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to collect the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Managed Code Hosting Process\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the file paths, process command lines, and parent processes involved.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected file creation events associated with processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e in user-writable directories.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of LOLBins and other potentially malicious processes.\u003c/li\u003e\n\u003cli\u003eCorrelate the detection with other security events to identify related malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-suspicious-managedcode-hosting/","summary":"This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.","title":"Suspicious Managed Code Hosting Process","url":"https://feed.craftedsignal.io/briefs/2024-01-29-suspicious-managedcode-hosting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies processes executing from directories that masquerade as the legitimate Windows Program Files directories. Attackers may create directories with similar names (e.g., \u0026ldquo;C:\\Program Files Bad\u0026rdquo; or \u0026ldquo;C:\\Program Files(x86) Malicious\u0026rdquo;) to host and execute malicious executables, bypassing security measures that trust the standard Program Files locations. This technique is particularly effective when combined with low-privilege accounts, as it allows attackers to evade detections that whitelist only the standard, trusted Program Files paths. The timeframe for this rule is the last 9 months. This matters to defenders because it highlights a common tactic used to bypass established trust relationships within the Windows operating system, requiring more granular inspection of process execution paths.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new directory that mimics the \u0026ldquo;Program Files\u0026rdquo; or \u0026ldquo;Program Files (x86)\u0026rdquo; directory (e.g., \u0026ldquo;C:\\Program Files Bad\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker copies or downloads malicious executable files into the newly created masquerading directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious executable from the masquerading directory.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the executable and begins its execution, potentially bypassing any allowlisting rules that only check the standard \u0026ldquo;Program Files\u0026rdquo; locations.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, repeating the masquerading technique on other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware infection, data theft, or complete system compromise. The impact is significant, as it undermines the trust placed in the \u0026ldquo;Program Files\u0026rdquo; directory and allows attackers to operate undetected for extended periods. While no specific victim counts are given, the technique is broadly applicable to any Windows environment, especially those relying on simple path-based allowlisting for security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProgram Files Directory Masquerading Detection\u003c/code\u003e to your SIEM to detect suspicious process executions from masquerading directories.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly review and update allowlisting rules to include more specific criteria beyond just the \u0026ldquo;Program Files\u0026rdquo; directory, such as file hashes or digital signatures.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and user accounts associated with the suspicious executions.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in the root directory to detect suspicious folders being created (file_event category)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-program-files-masquerading/","summary":"Adversaries may masquerade malicious executables within directories mimicking the legitimate Windows Program Files directory to evade defenses and execute untrusted code.","title":"Program Files Directory Masquerading","url":"https://feed.craftedsignal.io/briefs/2024-01-program-files-masquerading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","msiexec","remote-install"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAdversaries may abuse Windows Installer (msiexec.exe) to perform remote installations of malicious payloads. This technique is used for initial access, defense evasion, and execution of arbitrary code. The detection rule identifies attempts to install a file from a remote server using MsiExec. The rule looks for msiexec.exe processes running with arguments such as \u003ccode\u003e-i\u003c/code\u003e, \u003ccode\u003e/i\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, or \u003ccode\u003e/p\u003c/code\u003e, indicative of remote installations, and executed from suspicious parent processes like \u003ccode\u003esihost.exe\u003c/code\u003e, \u003ccode\u003eexplorer.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewmiprvse.exe\u003c/code\u003e, \u003ccode\u003epcalua.exe\u003c/code\u003e, \u003ccode\u003eforfiles.exe\u003c/code\u003e, and \u003ccode\u003econhost.exe\u003c/code\u003e. The rule includes exceptions to reduce false positives from legitimate software installations, specifically excluding command lines containing \u003ccode\u003e--set-server\u003c/code\u003e, \u003ccode\u003eUPGRADEADD\u003c/code\u003e, \u003ccode\u003e--url\u003c/code\u003e, \u003ccode\u003eUSESERVERCONFIG\u003c/code\u003e, \u003ccode\u003eRCTENTERPRISESERVER\u003c/code\u003e, \u003ccode\u003eapp.ninjarmm.com\u003c/code\u003e, \u003ccode\u003ezoom.us/client\u003c/code\u003e, \u003ccode\u003eSUPPORTSERVERSTSURI\u003c/code\u003e, \u003ccode\u003eSTART_URL\u003c/code\u003e, \u003ccode\u003eAUTOCONFIG\u003c/code\u003e, \u003ccode\u003eawscli.amazonaws.com\u003c/code\u003e, \u003ccode\u003e*/i \\\u0026quot;C:*\u003c/code\u003e, and \u003ccode\u003e*/i C:\\\\*\u003c/code\u003e. This technique can lead to complete system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line interpreter (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to initiate the \u003ccode\u003emsiexec.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emsiexec.exe\u003c/code\u003e process is launched with arguments that specify a remote MSI package (\u003ccode\u003e-i\u003c/code\u003e, \u003ccode\u003e/i\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e/p\u003c/code\u003e) and enable silent installation (\u003ccode\u003e/qn\u003c/code\u003e, \u003ccode\u003e-qn\u003c/code\u003e, \u003ccode\u003e-q\u003c/code\u003e, \u003ccode\u003e/q\u003c/code\u003e, \u003ccode\u003e/quiet\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emsiexec.exe\u003c/code\u003e process downloads the MSI package from a remote server over HTTP or HTTPS.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e executes the downloaded MSI package, which may contain malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, potentially performing actions such as installing malware, establishing persistence, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further actions, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive data, or disrupt system operations. A compromised system can be used as a pivot point to access other systems on the network. The impact can range from data breaches and financial losses to reputational damage and disruption of critical services. The number of potential victims depends on the scope of the initial access and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious MsiExec invocations with remote payloads.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the required data is available for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process, command-line arguments, and network connections associated with the \u003ccode\u003emsiexec.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for child processes spawned by \u003ccode\u003emsiexec.exe\u003c/code\u003e for anomalous activity.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emsiexec.exe\u003c/code\u003e to authorized users and processes only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"/briefs/2024-01-29-msiexec-remote-payload/","summary":"This rule detects attempts to install a file from a remote server using MsiExec, which adversaries may abuse to deliver malware, by identifying msiexec.exe processes running with arguments indicative of remote installations and executed from suspicious parent processes.","title":"Potential Remote Install via MsiExec","url":"https://feed.craftedsignal.io/briefs/2024-01-29-msiexec-remote-payload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Elastic Endgame","Sysmon"],"_cs_severities":["low"],"_cs_tags":["privilege-escalation","unquoted-service-path","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eUnquoted service paths in Windows can be exploited to escalate privileges. When a service path lacks quotes, Windows may execute a malicious executable placed in a higher-level directory. This detection rule identifies suspicious processes starting from common unquoted paths, like \u0026ldquo;C:\\Program.exe\u0026rdquo; or executables within \u0026ldquo;C:\\Program Files (x86)\\\u0026rdquo; or \u0026ldquo;C:\\Program Files\\\u0026rdquo;, signaling potential exploitation attempts. The rule aims to detect early stages of privilege escalation threats. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, Windows Security Event Logs, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a service running with an unquoted path, such as \u0026ldquo;C:\\Program Files\\Unquoted Path Service\\Common\\Service.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious executable named \u0026ldquo;Program.exe\u0026rdquo; in \u0026ldquo;C:\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to start the service \u0026ldquo;C:\\Program Files\\Unquoted Path Service\\Common\\Service.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDue to the unquoted path, the OS incorrectly parses the path and first attempts to execute \u0026ldquo;C:\\Program.exe\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe malicious \u0026ldquo;Program.exe\u0026rdquo; executes with the privileges of the service account.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs actions to escalate privileges, such as adding a user to the local administrators group.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of an unquoted service path vulnerability can lead to complete system compromise, as the attacker gains the privileges of the service account. This can allow the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. The impact is high, potentially leading to a loss of confidentiality, integrity, and availability of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview process executable paths to confirm if they match the patterns specified in the rule query, such as \u0026ldquo;?:\\Program.exe\u0026rdquo; or executables within \u0026ldquo;C:\\Program Files (x86)\\\u0026rdquo; or \u0026ldquo;C:\\Program Files\\\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Exploitation of an Unquoted Service Path Vulnerability\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging with Event ID 1 to activate the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eConduct a thorough review of service configurations to identify and correct any unquoted service paths as part of remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"/briefs/2024-01-29-unquoted-service-path/","summary":"This rule detects potential exploitation of unquoted service path vulnerabilities, where adversaries may escalate privileges by placing a malicious executable in a higher-level directory within the path of an unquoted service executable.","title":"Potential Exploitation of an Unquoted Service Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-unquoted-service-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Endpoint Security","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can disable the Antimalware Scan Interface (AMSI) to evade detection by modifying the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key. This technique is commonly employed to execute malicious scripts without triggering security warnings or blocks. The AMSI, a Windows feature, allows applications and services to request the scanning of potentially malicious content (e.g., PowerShell scripts, JScript) before execution. By setting the \u003ccode\u003eAmsiEnable\u003c/code\u003e value to 0, an attacker can disable AMSI for the current user, effectively bypassing real-time script scanning. This action is often a precursor to deploying further malicious payloads or establishing persistence on a compromised system. This behavior has been observed since at least 2019 and continues to be a relevant defense evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or binary that attempts to modify the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe script or binary uses \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell, or another tool to set the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry value to 0. The registry key location is typically \u003ccode\u003eHKEY_USERS\\\u0026lt;SID\u0026gt;\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter successfully disabling AMSI, the attacker proceeds to execute malicious scripts or code. These scripts may use \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious scripts download and execute additional payloads, such as malware or remote access tools (RATs).\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network using the compromised system as a pivot.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence, ensuring continued access to the system even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key allows attackers to execute malicious scripts without triggering AMSI alerts, leading to potential malware infections, data breaches, and system compromise. Disabling AMSI significantly reduces the effectiveness of endpoint security solutions, making the system more vulnerable to attack. The impact can range from individual workstation compromise to widespread network infections, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Registry Events\u003c/code\u003e to your SIEM to detect modifications to the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes modifying registry keys, especially \u003ccode\u003ereg.exe\u003c/code\u003e and PowerShell, using the rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Process Creation\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly to determine if the activity is malicious or legitimate.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted scripts and binaries.\u003c/li\u003e\n\u003cli\u003eHarden systems by restricting user permissions to modify critical registry keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:23:00Z","date_published":"2024-01-27T18:23:00Z","id":"/briefs/2024-01-amsi-registry-disable/","summary":"Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.","title":"AMSI Enable Registry Key Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-registry-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe \u0026ldquo;Office Test\u0026rdquo; registry key, located under \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e, is a legitimate feature that allows specifying a DLL to be executed every time an MS Office application is started. Attackers can abuse this functionality by modifying the registry to point to a malicious DLL, achieving persistence on a compromised host. This allows for continued malicious activity even after a system restart or user logout. Elastic has published a rule to detect this behavior. The modification of this registry key, excluding deletions, is a strong indicator of potential abuse, and can be detected via endpoint detection and response (EDR) solutions as well as traditional Sysmon logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, often through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a foothold and escalates privileges to make necessary registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e registry key, adding a new entry or modifying an existing one to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious DLL is present on the system, either by dropping it directly or using existing system tools to download it.\u003c/li\u003e\n\u003cli\u003eA user launches a Microsoft Office application (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the DLL specified in the \u0026ldquo;Office Test\u0026rdquo; registry key during startup.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes its payload, which could include establishing a reverse shell, installing malware, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence, allowing them to regain access to the system each time an Office application is started.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to a compromised system. The injected DLL can be used to execute arbitrary code, potentially leading to data theft, malware installation, or further compromise of the network. The relatively low risk score suggests a common technique, but the potential for persistent access makes it a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect unauthorized modifications to the \u0026ldquo;Office Test\u0026rdquo; registry key (\u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Registry event logging to capture registry modifications and activate the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for Office applications to detect if a suspicious DLL has been loaded or executed, as described in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for similar registry modifications across the network, as described in the remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T17:30:00Z","date_published":"2024-01-27T17:30:00Z","id":"/briefs/2024-01-office-test-registry-persistence/","summary":"Attackers modify the Microsoft Office 'Office Test' Registry key to achieve persistence by specifying a malicious DLL that executes upon application startup.","title":"Microsoft Office 'Office Test' Registry Persistence Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-office-test-registry-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ads","file-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the creation of Alternate Data Streams (ADS) on Windows systems, a technique often employed by adversaries to conceal malicious code or data within seemingly benign files. Attackers leverage scripting engines and command interpreters to write ADS to various file types, including executables, documents, and media files. This activity is uncommon in legitimate workflows, making it a valuable indicator of potential compromise. The rule is designed to trigger on file creation events where the process creating the file is a known script or command interpreter (cmd.exe, powershell.exe, etc.) and the target file has a suspicious extension. The detection excludes common legitimate ADS usage patterns. This technique is used for defense evasion, allowing malware to persist without being easily detected by traditional security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command interpreter (cmd.exe, powershell.exe, etc.) or scripting engine (wscript.exe, cscript.exe) to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code creates an Alternate Data Stream (ADS) on a targeted file (e.g., an executable, document, or image). The targeted file\u0026rsquo;s extension could be pdf, dll, exe, dat, etc.\u003c/li\u003e\n\u003cli\u003eThe attacker hides malicious code or data within the ADS, making it less visible to standard file system scans and security tools. The ADS is written to a file path using the \u003ccode\u003eC:\\\\*:\\*\u003c/code\u003e syntax.\u003c/li\u003e\n\u003cli\u003eThe attacker may rename or clean up any staging files to further conceal their activity.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute the hidden code within the ADS, or use the ADS to store configuration data for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the ADS to store and execute malicious code, bypassing typical file-based security measures.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to maintain unauthorized access to the system, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious code within legitimate files, evading detection by traditional security measures. This can lead to prolonged persistence on compromised systems, enabling data theft, ransomware deployment, or other malicious activities. While the specific number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting a wide range of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious ADS File Creation via Cmd\u003c/code\u003e to detect ADS creation events initiated by cmd.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious ADS File Creation via PowerShell\u003c/code\u003e to detect ADS creation events initiated by powershell.exe.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 15 (FileCreateStreamHash) to provide detailed information about ADS creation events, as referenced in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the file paths, creating processes, and command-line arguments involved, as detailed in the rule\u0026rsquo;s triage and analysis notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:00:00Z","date_published":"2024-01-26T18:00:00Z","id":"/briefs/2024-01-ads-file-creation/","summary":"Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.","title":"Suspicious Alternate Data Stream (ADS) File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-ads-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","privilege_escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers may configure existing Windows services or create new ones to execute system shells, in order to elevate their privileges from administrator to SYSTEM. This tactic is used to gain SYSTEM permissions and establish persistence. The detection rule focuses on identifying instances where \u003ccode\u003eservices.exe\u003c/code\u003e is the parent process of a command shell (cmd.exe, powershell.exe, pwsh.exe, powershell_ise.exe), indicating that a service is being abused to run a shell. The rule is designed to work with data from Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system with administrator privileges.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a legitimate service or creates a new service to abuse for privilege escalation.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the service configuration to execute a command shell (cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe). This may involve modifying the service\u0026rsquo;s executable path or adding command-line arguments.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s Service Control Manager (SCM) starts the service.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eservices.exe\u003c/code\u003e spawns the configured command shell process.\u003c/li\u003e\n\u003cli\u003eThe command shell executes with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eAttacker uses the SYSTEM shell to perform malicious activities, such as installing malware, accessing sensitive data, or creating new user accounts.\u003c/li\u003e\n\u003cli\u003eThe service continues to run, providing persistent access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to privilege escalation to SYSTEM, granting the attacker complete control over the compromised system. This can result in data theft, malware installation, or further lateral movement within the network. The rule has a risk score of 47 and is categorized as medium severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSystem Shells via Services\u003c/code\u003e to detect the execution of command shells spawned by \u003ccode\u003eservices.exe\u003c/code\u003e within your SIEM environment, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events where \u003ccode\u003eservices.exe\u003c/code\u003e is the parent process of \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, or \u003ccode\u003epowershell_ise.exe\u003c/code\u003e using the investigation guide provided in the content section.\u003c/li\u003e\n\u003cli\u003eReview service creation and modification events in Windows Event Logs (Event IDs 4697 and 7045) for suspicious entries.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed process information.\u003c/li\u003e\n\u003cli\u003eUtilize osquery to retrieve detailed service information to identify potentially malicious services. Reference queries $osquery_0, $osquery_1, and $osquery_2 in the investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-system-shells-via-services/","summary":"Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.","title":"System Shells Launched via Windows Services","url":"https://feed.craftedsignal.io/briefs/2024-01-system-shells-via-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Windows Error Reporting"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","lsass","wepw"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe LSASS Shtinkering attack involves abusing Windows Error Reporting (WER) to dump the memory of the LSASS process, which contains sensitive credentials. By enabling full user-mode dumps system-wide, attackers can fake a crash on LSASS, causing WER to generate a dump file. This setting is not enabled by default and requires modifying the registry. The DeepInstinct researchers publicized this attack at Defcon 30, demonstrating a method to access credentials without directly injecting malware into the LSASS process. This technique allows attackers to bypass traditional endpoint detection mechanisms that focus on malware signatures, making it a stealthy approach to credential theft. Defenders should monitor for registry modifications related to WER dump settings to detect and prevent this attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType\u003c/code\u003e to the value \u003ccode\u003e2\u003c/code\u003e or \u003ccode\u003e0x00000002\u003c/code\u003e to enable full user-mode dumps system-wide.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a crash or fakes a crash of the LSASS process.\u003c/li\u003e\n\u003cli\u003eWindows Error Reporting (WER) generates a full user-mode dump file of the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe dump file is stored in the location specified in the registry, typically \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the generated dump file.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials from the LSASS dump file using tools like Mimikatz or custom scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally within the network or access sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials and other sensitive information stored in LSASS memory, such as NTLM hashes and Kerberos tickets. This can enable attackers to move laterally within the network, escalate privileges, and access critical systems and data. A single compromised system can lead to a widespread breach affecting numerous users and systems. The sectors most vulnerable are those handling sensitive data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Full User-Mode Dumps Enabled System-Wide\u0026rdquo; to your SIEM to detect suspicious registry modifications related to Windows Error Reporting (WER).\u003c/li\u003e\n\u003cli\u003eExamine process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate \u003ccode\u003esvchost.exe\u003c/code\u003e process with user IDs \u003ccode\u003eS-1-5-18\u003c/code\u003e, \u003ccode\u003eS-1-5-19\u003c/code\u003e, or \u003ccode\u003eS-1-5-20\u003c/code\u003e as described in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003cli\u003eMonitor for access to WER dump files located in \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\u003c/code\u003e using file monitoring rules.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection configurations to ensure they can detect and block credential dumping techniques as mentioned in the rule\u0026rsquo;s response and remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-lsass-shtinkering/","summary":"Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.","title":"LSASS Credential Dumping via Windows Error Reporting (WER) Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-26-lsass-shtinkering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","group_policy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers may leverage the \u003ccode\u003egpresult.exe\u003c/code\u003e utility, a built-in Windows tool, to gather information about Group Policy Objects (GPOs) within an Active Directory environment. This reconnaissance activity allows adversaries to understand the existing security policies, identify potential misconfigurations, and discover pathways for privilege escalation or lateral movement. The rule focuses on detecting the execution of \u003ccode\u003egpresult.exe\u003c/code\u003e with specific command-line arguments (\u003ccode\u003e/z\u003c/code\u003e, \u003ccode\u003e/v\u003c/code\u003e, \u003ccode\u003e/r\u003c/code\u003e, \u003ccode\u003e/x\u003c/code\u003e) commonly associated with malicious reconnaissance. This behavior is typically observed after an initial compromise, where the attacker is attempting to map out the network and identify valuable targets. This activity matters for defenders as it provides an early indicator of post-compromise activity and can help prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003egpresult.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe attacker uses command-line arguments such as \u003ccode\u003e/z\u003c/code\u003e, \u003ccode\u003e/v\u003c/code\u003e, \u003ccode\u003e/r\u003c/code\u003e, or \u003ccode\u003e/x\u003c/code\u003e to request detailed information about Group Policy settings.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egpresult.exe\u003c/code\u003e queries the Active Directory domain to retrieve GPO information applicable to the user or computer.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003egpresult.exe\u003c/code\u003e to identify security policies, user rights assignments, and other relevant configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential weaknesses in the GPO configuration, such as overly permissive user rights or insecure password policies.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to exploit identified weaknesses and escalate privileges or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a comprehensive understanding of the target environment\u0026rsquo;s security posture, enabling attackers to identify and exploit weaknesses for privilege escalation and lateral movement. While the source does not specify a number of victims or sectors targeted, the impact of a successful attack can range from data breaches and financial losses to reputational damage and disruption of operations. The discovery of misconfigured group policies can open doors for attackers to compromise critical systems and data within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Group Policy Discovery via GPResult\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003egpresult.exe\u003c/code\u003e with suspicious parameters.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture command-line arguments used with \u003ccode\u003egpresult.exe\u003c/code\u003e and other executables.\u003c/li\u003e\n\u003cli\u003eReview and harden Group Policy configurations to minimize the risk of exploitation by attackers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Group Policy Discovery via GPResult\u0026rdquo; to determine the context and intent of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-gpresult-discovery/","summary":"Detects the execution of `gpresult.exe` with arguments `/z`, `/v`, `/r`, or `/x` on Windows systems, which attackers may use during reconnaissance to enumerate Group Policy Objects and identify opportunities for privilege escalation or lateral movement.","title":"Group Policy Discovery via Microsoft GPResult Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-gpresult-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","browser-extension","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the installation of browser extensions on Windows systems, which can be a sign of malicious activity. Threat actors may install malicious browser extensions through app store downloads disguised as legitimate extensions, social engineering tactics, or by directly compromising a system. These extensions can then be used for persistence, data theft, or other malicious purposes. The rule focuses on monitoring file creation events related to browser extension installations, specifically targeting the file paths and types associated with Firefox (.xpi) and Chromium-based browsers (.crx). It excludes known safe processes and extensions to reduce false positives. This detection is relevant for defenders because malicious browser extensions can provide a persistent foothold for attackers, allowing them to maintain access to compromised systems and user data. The rule is based on EQL and can be used with Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user\u0026rsquo;s system is compromised, potentially through social engineering or existing malware.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the system and attempts to install a malicious browser extension.\u003c/li\u003e\n\u003cli\u003eThe attacker drops the extension file (.xpi for Firefox, .crx for Chromium) into the appropriate browser extension directory (e.g., \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\\\\Profiles\\\\*\\\\Extensions\\\\\u003c/code\u003e for Firefox or \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*\\\\*\\\\User Data\\\\Webstore Downloads\\\\\u003c/code\u003e for Chromium).\u003c/li\u003e\n\u003cli\u003eA file creation event is triggered as the extension file is created in the target directory.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies this file creation event based on the file name and path, filtering out known safe processes like firefox.exe.\u003c/li\u003e\n\u003cli\u003eThe malicious extension installs itself into the browser.\u003c/li\u003e\n\u003cli\u003eThe extension gains persistence by loading every time the browser starts.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform malicious actions such as monitoring browsing activity, stealing credentials, or injecting malicious content into web pages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious browser extensions can lead to persistent access to the compromised system, allowing attackers to steal sensitive information such as credentials, financial data, or personal information. This can result in financial loss, identity theft, and reputational damage. The installation of malicious extensions can also lead to the injection of malicious content into web pages, redirecting users to phishing sites or distributing malware. The scope of the impact can range from individual users to entire organizations, depending on the extent of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture the necessary file creation events for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eBrowser Extension Install via File Creation\u003c/code\u003e to your SIEM and tune the exclusions for your specific environment.\u003c/li\u003e\n\u003cli\u003eReview and update the list of known safe processes and extensions in the Sigma rule \u003ccode\u003eBrowser Extension Install via File Creation\u003c/code\u003e to minimize false positives.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting policies to restrict the installation of unauthorized browser extensions.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with installing browser extensions from untrusted sources and encourage them to only install extensions from official browser stores.\u003c/li\u003e\n\u003cli\u003eImplement policies to regularly review installed browser extensions across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-browser-extension-install/","summary":"This rule identifies the installation of potentially malicious browser extensions, which adversaries can leverage for persistence and unauthorized activity by monitoring file creation events in common browser extension directories on Windows systems.","title":"Detection of Malicious Browser Extension Installation","url":"https://feed.craftedsignal.io/briefs/2024-01-browser-extension-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers often abuse the \u003ccode\u003erundll32.exe\u003c/code\u003e utility to execute malicious Dynamic Link Libraries (DLLs), blending their activity with legitimate system operations. This detection identifies instances where \u003ccode\u003erundll32.exe\u003c/code\u003e establishes outbound network connections, particularly when executed without command-line arguments. Such behavior deviates from typical usage and may indicate command and control (C2) activity or other malicious actions. The rule is designed to detect command and control activity where adversaries are using \u003ccode\u003erundll32.exe\u003c/code\u003e without arguments to make external network connections. The rule uses data from Elastic Defend, Sysmon, and SentinelOne to detect this behavior. The rule specifically excludes connections to well-known private and reserved IP ranges to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a malicious DLL using \u003ccode\u003erundll32.exe\u003c/code\u003e without specifying arguments, which is an anomaly.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erundll32.exe\u003c/code\u003e is invoked with a command line resembling: \u003ccode\u003erundll32.exe \u0026lt;path_to_dll\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL initiates an outbound network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe network connection attempts to bypass firewall rules by masquerading as a legitimate system process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this connection to establish a command and control channel.\u003c/li\u003e\n\u003cli\u003eData exfiltration or further exploitation activities occur over the established C2 channel.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish command and control channels on compromised systems, leading to potential data exfiltration, lateral movement within the network, and deployment of ransomware. This can result in significant financial losses, reputational damage, and disruption of business operations. The impact is broad, affecting any Windows environment where \u003ccode\u003erundll32.exe\u003c/code\u003e is used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Unusual Network Connection via RunDLL32\u003c/code\u003e to your SIEM and tune for your environment to detect unusual network connections made by \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and network connection logging to capture necessary events for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes of \u003ccode\u003erundll32.exe\u003c/code\u003e and the destination IP addresses of the network connections.\u003c/li\u003e\n\u003cli\u003eReview and harden firewall rules to prevent unauthorized outbound connections from system processes like \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted DLLs via \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-rundll32-network-connection/","summary":"The rule detects unusual outbound network connections made by rundll32.exe, specifically when executed with minimal arguments, which may indicate command and control activity or defense evasion tactics on Windows systems.","title":"Unusual Network Connection via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2024-01-rundll32-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["persistence","bits","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Background Intelligent Transfer Service (BITS) is a Windows service used for asynchronous, prioritized, and throttled file transfers. Attackers can abuse BITS to establish persistence by using the \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e method to execute a program after a BITS job completes or enters a specific state. This technique allows adversaries to run arbitrary code with elevated privileges, bypassing traditional security measures. The detection rule identifies suspicious processes initiated by BITS, excluding known legitimate executables like \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e, \u003ccode\u003eWerFault.exe\u003c/code\u003e, \u003ccode\u003ewermgr.exe\u003c/code\u003e, and \u003ccode\u003edirectxdatabaseupdater.exe\u003c/code\u003e. This behavior can be employed to maintain access to a compromised system, even after a reboot or user logout. Defenders need to monitor BITS activity for unusual command-line executions to detect and prevent potential persistence attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through other means (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the BITSAdmin tool or PowerShell cmdlets to create a new BITS job.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the BITS job to download a malicious payload or execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e method to set a command that will be executed upon job completion or a specified state change.\u003c/li\u003e\n\u003cli\u003eThe BITS service executes the specified command, which can be a script interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e) or a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious command downloads or executes further payloads, establishing persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access, allowing them to execute commands, steal data, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems. This can lead to data theft, further malware deployment, or complete system compromise. The BITS service runs with elevated privileges, so any command executed via \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e will also run with those privileges. This persistence mechanism is difficult to detect because BITS is a legitimate Windows service, and its activity can be easily masked as normal system operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for processes spawned by \u003ccode\u003esvchost.exe\u003c/code\u003e with arguments containing \u0026ldquo;BITS\u0026rdquo; but not in the exclusion list (WerFaultSecure.exe, WerFault.exe, wermgr.exe, directxdatabaseupdater.exe) using the \u0026ldquo;Persistence via BITS Job Notify Cmdline\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious BITS Job Creation\u0026rdquo; to identify unusual BITS job creation activities.\u003c/li\u003e\n\u003cli\u003eReview BITS job configurations on systems to identify and remove any unauthorized or suspicious jobs.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed information about process execution, including parent-child relationships and command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-26-bits-persistence/","summary":"Adversaries can achieve persistence by abusing the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program after a job finishes, leading to arbitrary code execution and system compromise.","title":"Persistence via BITS Job Notify Cmdline","url":"https://feed.craftedsignal.io/briefs/2024-01-26-bits-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Diagnostics Troubleshooting Wizard (MSDT)","Microsoft Defender XDR"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","msdt","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a built-in Windows tool used for troubleshooting various system issues. Attackers can abuse MSDT to proxy malicious command or binary execution through carefully crafted process arguments, evading traditional defense mechanisms. This technique leverages the trust associated with a signed Microsoft binary (msdt.exe) to execute arbitrary commands. The detection rule identifies suspicious MSDT executions based on command-line arguments, filename discrepancies, and unusual process relationships. This activity has been observed since at least May 2022 and continues to be a relevant defense evasion technique. Defenders should monitor for unusual invocations of MSDT, especially when launched from untrusted sources or with suspicious arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access via an unspecified vector (e.g., phishing, drive-by download).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a malicious document or script to invoke \u003ccode\u003emsdt.exe\u003c/code\u003e with specific arguments.\u003c/li\u003e\n\u003cli\u003eMSDT is executed with a crafted \u003ccode\u003eIT_RebrowseForFile\u003c/code\u003e or \u003ccode\u003eIT_BrowseForFile\u003c/code\u003e parameter containing a malicious payload.\u003c/li\u003e\n\u003cli\u003eAlternatively, MSDT is executed with \u003ccode\u003e-af /skip\u003c/code\u003e and a path to a malicious \u003ccode\u003ePCWDiagnostic.xml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eMSDT processes the malicious input, leading to the execution of attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally through the network, compromising additional systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls and execute arbitrary code on compromised systems. This can lead to data theft, system compromise, and further propagation of the attack within the network. The defense evasion tactic can obscure malicious activities, making it more difficult to detect and respond to incidents. Depending on the user\u0026rsquo;s privileges, the attacker might gain elevated privileges on the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect suspicious MSDT executions based on process arguments, filename discrepancies, and unusual parent-child relationships.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003emsdt.exe\u003c/code\u003e with arguments containing \u003ccode\u003eIT_RebrowseForFile=*\u003c/code\u003e, \u003ccode\u003e*FromBase64*\u003c/code\u003e, or \u003ccode\u003e*/../../../*\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process command line, parent process, and any spawned child processes.\u003c/li\u003e\n\u003cli\u003eBlock execution of \u003ccode\u003emsdt.exe\u003c/code\u003e from non-standard paths as highlighted in the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T14:23:00Z","date_published":"2024-01-25T14:23:00Z","id":"/briefs/2024-01-25-msdt-abuse/","summary":"This rule detects potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments on Windows systems.","title":"Suspicious Microsoft Diagnostics Wizard Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-25-msdt-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies anomalous creation or modification of executable files by critical Windows system processes, like \u003ccode\u003esmss.exe\u003c/code\u003e, \u003ccode\u003ecsrss.exe\u003c/code\u003e, and \u003ccode\u003elsass.exe\u003c/code\u003e. Attackers may attempt to leverage these processes to evade detection, and the rule is designed to detect such activities. The rule leverages data from Elastic Defend, Microsoft Defender XDR, SentinelOne, CrowdStrike, and Sysmon. It provides investigation steps to help analysts triage and analyze potential incidents, focusing on the identity of the writing process, its lineage, and the characteristics of the written file. This rule is designed to detect potential remote code execution or other forms of exploitation targeting Windows systems. The rule logic excludes specific legitimate file paths to minimize false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a system critical process to create or modify an executable file.\u003c/li\u003e\n\u003cli\u003eThe created/modified file may be a backdoor, malware component, or a tool for further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the created executable to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created executable to perform lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution with elevated privileges. The number of victims is dependent on the scope of the initial compromise. The targeted sectors include any organization running vulnerable Windows systems. If the attack succeeds, the adversary can gain full control over the system, leading to data theft, system disruption, or further propagation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Unusual Executable File Creation by a System Critical Process\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to enhance detection capabilities (see setup instructions in the rule source).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the writing process\u0026rsquo;s identity, lineage, and the characteristics of the written file as detailed in the rule\u0026rsquo;s triage and analysis section.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with other endpoint and network activity to identify the scope of the potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-unusual-executable-file-creation/","summary":"The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.","title":"Unusual Executable File Creation by a System Critical Process","url":"https://feed.craftedsignal.io/briefs/2024-01-25-unusual-executable-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["exfiltration","credential-access","windows","smb","ntlm"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection strategy focuses on identifying unusual Server Message Block (SMB) traffic that originates from internal IP addresses and connects to external networks. The SMB protocol, commonly used for file and printer sharing within a network, can be exploited to exfiltrate data by injecting rogue UNC paths to capture NTLM credentials. This activity is often associated with threat actors attempting to steal credentials for lateral movement or data exfiltration. Defenders should be aware of this technique as it allows adversaries to bypass traditional security controls by leveraging a legitimate protocol for malicious purposes. This detection is relevant for environments utilizing Windows operating systems and SMB for internal network communications. The goal is to identify and alert on SMB connections to external IPs, excluding known safe ranges and legitimate business applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an internal system via phishing or other means (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker injects a rogue UNC path into a document, email, or other medium.\u003c/li\u003e\n\u003cli\u003eA user opens the malicious document or clicks the injected link, triggering an SMB connection to a malicious external server.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate with the user\u0026rsquo;s NTLM credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the NTLM hash from the authentication attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to crack the NTLM hash to obtain the user\u0026rsquo;s password.\u003c/li\u003e\n\u003cli\u003eUsing the cracked password, the attacker gains unauthorized access to other systems and resources on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to credential theft, allowing attackers to gain unauthorized access to sensitive data and systems within the organization. This can result in data breaches, financial losses, and reputational damage. The impact is significant because SMB is a common protocol within many Windows environments, making this technique highly effective if not properly monitored.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SMB Connection to External IP\u0026rdquo; to your SIEM to identify potentially malicious SMB connections to the internet. Tune the rule by excluding known good external IPs used by legitimate services.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) with proper filtering to capture SMB traffic details as recommended in the linked setup guide, to enhance the fidelity of the detection.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict SMB traffic to only necessary internal communications, reducing the attack surface and mitigating the risk of external exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-rare-smb-exfiltration/","summary":"This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.","title":"Detecting Rare SMB Connections for Potential NTLM Credential Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-smb-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["execution","windows","scripting","archive"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers commonly use archive files (ZIP, RAR, 7z) to deliver malicious scripts, such as JScript and VBScript, to Windows systems. This technique allows them to bypass some initial security checks and deliver payloads that can execute arbitrary code. The \u0026ldquo;Windows Script Execution from Archive\u0026rdquo; detection identifies instances where Windows Script Host (wscript.exe) is launched from temporary directories containing extracted archive contents. This activity can indicate a user has opened a malicious archive, leading to potential malware execution. This detection focuses on the parent-child process relationship, where explorer.exe, winrar.exe, or 7zFM.exe spawns wscript.exe to execute scripts from the temp directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious archive file (e.g., ZIP, RAR, 7z) via email or downloads it from a website.\u003c/li\u003e\n\u003cli\u003eThe user opens the archive file using a file archiver tool like Explorer, WinRAR, or 7-Zip.\u003c/li\u003e\n\u003cli\u003eThe archiver extracts the contents, including a malicious JScript (.js) or VBScript (.vbs) file, to a temporary directory, such as \u003ccode\u003e\\Users\\*\\AppData\\Local\\Temp\\7z*\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user (or the archiver tool) inadvertently executes the extracted script using Windows Script Host (wscript.exe).\u003c/li\u003e\n\u003cli\u003eWscript.exe executes the malicious script, which may perform a variety of actions, such as downloading and executing additional payloads.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence via registry modification, adding a run key to execute upon system startup.\u003c/li\u003e\n\u003cli\u003eThe script connects to a command-and-control server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised system and begins lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can lead to arbitrary code execution on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. While the number of affected organizations is not specified, the technique is broadly applicable to any Windows environment where users handle archive files, potentially affecting numerous individuals and organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of wscript.exe and its arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Script Execution from Archive\u0026rdquo; to your SIEM to identify suspicious script execution patterns.\u003c/li\u003e\n\u003cli\u003eMonitor process activity for wscript.exe and other scripting engines executing from temporary directories.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint security solutions to block execution of scripts from common temporary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-script-exec-archive/","summary":"This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.","title":"Windows Script Execution from Archive File","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-archive/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","persistence","suid","sgid"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic, identifies instances where a process executes with root privileges (UID/GID 0) while the real user/group ID is non-zero. This condition suggests that the process has been granted SUID/SGID permissions, potentially allowing it to run with elevated privileges. Attackers may exploit such misconfigurations to escalate their privileges to root or establish persistence mechanisms. The rule focuses on Linux systems and leverages Elastic Defend data to identify such events. The initial publication date of the rule was in June 2024, with updates made as recently as May 2026. This type of misconfiguration can lead to significant security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user (non-root) executes a binary that has the SUID or SGID bit set.\u003c/li\u003e\n\u003cli\u003eThe system checks the permissions of the executable and identifies the SUID/SGID bit.\u003c/li\u003e\n\u003cli\u003eThe process spawns with the effective UID/GID set to the owner/group of the executable file (typically root).\u003c/li\u003e\n\u003cli\u003eThe process attempts to perform actions that require elevated privileges.\u003c/li\u003e\n\u003cli\u003eIf the SUID/SGID binary is vulnerable, the attacker can leverage it to execute arbitrary commands as root.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root, gaining full control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a backdoor for persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID/SGID misconfigurations can grant an attacker root-level access to a Linux system. This can lead to complete system compromise, including data theft, installation of malware, and the potential for lateral movement to other systems on the network. A single compromised system can be leveraged to attack other internal assets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potential SUID/SGID exploitation (see the \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eReview the SUID/SGID binaries identified by the rule and verify their configurations to ensure they are correctly set and necessary.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for SUID/SGID execution attempts to detect and respond to similar threats in the future (Data Source: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eConsider implementing stricter access controls and reducing the number of SUID/SGID binaries on the system to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eInvestigate the parent process of the flagged binaries to determine the origin of the execution and whether it aligns with expected behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-suid-sgid-privesc/","summary":"This rule detects potential privilege escalation attempts on Linux systems by identifying processes running with root privileges but initiated by non-root users, indicative of SUID/SGID abuse.","title":"Potential Privilege Escalation via SUID/SGID Abuse on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-suid-sgid-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, created by Elastic, is designed to identify potentially compromised hosts by aggregating alert data. It focuses on scenarios where a single host triggers multiple alerts associated with different phases of an attack, as defined by the ATT\u0026amp;CK framework. The rule calculates a risk score based on the number and severity of alerts, prioritizing hosts exceeding a defined threshold. By focusing on hosts exhibiting diverse attack tactics, analysts can more effectively triage and respond to complex, multi-stage intrusions. This rule helps filter out noisy alerts such as \u0026ldquo;Agent Spoofing\u0026rdquo;, \u0026ldquo;Compression DLL Loaded by Unusual Process\u0026rdquo;, and \u0026ldquo;Potential PrintNightmare File Modification\u0026rdquo;, and focuses on alerts where \u003ccode\u003ekibana.alert.risk_score\u003c/code\u003e is greater than 0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to a host through various methods.\u003c/li\u003e\n\u003cli\u003eThe adversary executes malicious code or commands on the host.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence to maintain access.\u003c/li\u003e\n\u003cli\u003eThe adversary attempts to escalate privileges to gain higher-level control.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement to compromise other systems.\u003c/li\u003e\n\u003cli\u003eThe adversary gathers information about the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack, as identified by this rule, can lead to significant data breaches, system compromise, and operational disruption. Multiple alerts across various tactics suggest a sophisticated and persistent attacker. Prioritizing hosts identified by this rule enables security teams to quickly contain and remediate advanced threats, minimizing potential damage and reducing the overall impact on the organization. Without this detection, analysts might miss critical correlations between seemingly isolated alerts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to identify potentially compromised hosts based on multiple alerts across different ATT\u0026amp;CK tactics.\u003c/li\u003e\n\u003cli\u003eInvestigate any hosts flagged by this rule, correlating the alert data with other logs and telemetry to understand the full scope of the attack.\u003c/li\u003e\n\u003cli\u003eTune the threshold values in the Sigma rule (distinct rule count, tactic count, risk score) to align with your environment and risk tolerance.\u003c/li\u003e\n\u003cli\u003eEnable logging for process creation, network connections, and file modifications on all hosts to provide sufficient data for the detection rule.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False positive analysis\u0026rdquo; section of the rule\u0026rsquo;s documentation to identify and exclude known benign activities that may trigger the rule.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eEsql.kibana_alert_rule_name_values\u003c/code\u003e field in the rule output to quickly identify the specific alert types triggering the rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-multiple-alerts-risky-host/","summary":"This rule uses alert data to identify hosts with multiple alerts across different ATT\u0026CK tactics, indicating a higher likelihood of compromise and enabling analysts to prioritize triage and response based on accumulated risk score.","title":"Multiple Alerts in Different ATT\u0026CK Tactics by Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-alerts-risky-host/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame","Sysmon","AA_v*.exe","AeroAdmin.exe","AnyDesk.exe","apc_Admin.exe","apc_host.exe","AteraAgent.exe","aweray_remote*.exe","AweSun.exe","AgentMon.exe","B4-Service.exe","BASupSrvc.exe","bomgar-scc.exe","domotzagent.exe","domotz-windows-x64-10.exe","dwagsvc.exe","DWRCC.exe","ImperoClientSVC.exe","ImperoServerSVC.exe","ISLLight.exe","ISLLightClient.exe","fleetdeck_commander*.exe","getscreen.exe","g2aservice.exe","GoToAssistService.exe","gotohttp.exe","jumpcloud-agent.exe","level.exe","LvAgent.exe","LMIIgnition.exe","LogMeIn.exe","Lunixar.exe","LunixarRemote.exe","LunixarUpdater.exe","ManageEngine_Remote_Access_Plus.exe","MeshAgent.exe","Mikogo-Service.exe","NinjaRMMAgent.exe","NinjaRMMAgenPatcher.exe","ninjarmm-cli.exe","parsec.exe","PService.exe","quickassist.exe","r_server.exe","radmin.exe","radmin3.exe","RCClient.exe","RCService.exe","RemoteDesktopManager.exe","RemotePC.exe","RemotePCDesktop.exe","RemotePCService.exe","rfusclient.exe","ROMServer.exe","ROMViewer.exe","RPCSuite.exe","rserver3.exe","rustdesk.exe","rutserv.exe","rutview.exe","saazapsc.exe","ScreenConnect*.exe","session_win.exe","Remote Support.exe","smpcview.exe","spclink.exe","Splashtop-streamer.exe","Syncro.Overmind.Service.exe","SyncroLive.Agent.Runner.exe","SRService.exe","strwinclt.exe","Supremo.exe","SupremoService.exe","tacticalrmm.exe","tailscale.exe","tailscaled.exe","teamviewer.exe","ToDesk_Service.exe","twingate.exe","TiClientCore.exe","TSClient.exe","tvn.exe","tvnserver.exe","tvnviewer.exe","UltraVNC*.exe","UltraViewer*.exe","vncserver.exe","vncviewer.exe","winvnc.exe","winwvc.exe","Zaservice.exe","ZohoURS.exe","Velociraptor.exe","ToolsIQ.exe","CagService.exe","ScreenConnect.ClientService.exe","TiAgent.exe","GoToResolveProcessChecker.exe","GoToResolveUnattended.exe","Syncro.Installer.exe"],"_cs_severities":["medium"],"_cs_tags":["remote-access","rmm","command-and-control","persistence"],"_cs_type":"advisory","_cs_vendors":["Elastic","Action1 Corporation","AeroAdmin LLC","Ammyy LLC","Atera Networks Ltd","AWERAY PTE. LTD.","BeamYourScreen GmbH","Bomgar Corporation","DUC FABULOUS CO.,LTD","DOMOTZ INC.","DWSNET OÜ","FleetDeck Inc","GlavSoft LLC","Hefei Pingbo Network Technology Co. Ltd","IDrive, Inc.","IMPERO SOLUTIONS LIMITED","Instant Housecall","ISL Online Ltd.","LogMeIn, Inc.","LUNIXAR SAS DE CV","MMSOFT Design Ltd.","Nanosystems S.r.l.","NetSupport Ltd","NinjaRMM, LLC","Parallels International GmbH","philandro Software GmbH","Pro Softnet Corporation","RealVNC","Remote Utilities LLC","Rocket Software, Inc.","SAFIB","Servably, Inc.","ShowMyPC INC","Splashtop Inc.","Superops Inc.","TeamViewer","Techinline Limited","uvnc bvba","Yakhnovets Denis Aleksandrovich IP","Zhou Huabing","ZOHO Corporation Private Limited","Connectwise, LLC","BreakingSecurity.net","Tailscale","Twingate","RustDesk","Zoho","JumpCloud","ScreenConnect","GoTo"],"content_html":"\u003cp\u003eAttackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.\u003c/li\u003e\n\u003cli\u003ePersistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the process creation rule to detect the execution of RMM tools on endpoints based on \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e criteria in the query.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-first-time-seen-rmm/","summary":"Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.","title":"First Time Seen Remote Monitoring and Management Tool Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eAdversaries may use masquerading techniques to evade defenses and blend into the environment by manipulating the name or location of a file, tricking users into executing malicious code disguised as a benign file type. This rule detects the creation of executable files with multiple extensions, a common method of masquerading. The rule focuses on identifying suspicious file creations that use misleading extensions, specifically targeting files with an \u0026ldquo;.exe\u0026rdquo; extension preceded by common benign extensions. It excludes known legitimate processes to minimize false positives. This activity is relevant for defenders to identify potential threats where adversaries attempt to bypass security measures by disguising malicious files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious executable file with a double extension (e.g., \u0026ldquo;document.pdf.exe\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user downloads or receives the file and attempts to open it.\u003c/li\u003e\n\u003cli\u003eWindows displays the file with the first extension (\u0026ldquo;document.pdf\u0026rdquo;) by default, misleading the user.\u003c/li\u003e\n\u003cli\u003eUpon execution, Windows recognizes the \u0026ldquo;.exe\u0026rdquo; extension and executes the file.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs, potentially deploying malware or performing other unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence or attempts lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware infection, data breaches, and system compromise. This technique bypasses common file type restrictions and user awareness, potentially affecting a wide range of users and systems. While the number of victims is not specified, the impact can be significant, particularly in organizations where users handle sensitive data. The affected sectors are broad, encompassing any organization where users are susceptible to social engineering attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Executable File Creation with Multiple Extensions\u0026rdquo; to your SIEM and tune for your environment to detect the creation of suspicious files with multiple extensions.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) for comprehensive file creation monitoring to improve the effectiveness of the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with double file extensions and encourage caution when opening attachments from unknown sources.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations that may create executables with multiple extensions to reduce false positives, as described in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-executable-file-creation-multiple-extensions/","summary":"Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.","title":"Executable File Creation with Multiple Extensions","url":"https://feed.craftedsignal.io/briefs/2024-01-executable-file-creation-multiple-extensions/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endgame","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","registry-dump","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to export registry hives containing sensitive credential information using the Windows \u003ccode\u003ereg.exe\u003c/code\u003e utility. Attackers may target the \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e hives to extract stored credentials, including password hashes and LSA secrets. The activity is often part of a broader credential access campaign. The rule focuses on detecting the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with specific arguments indicating an attempt to save or export these critical registry hives. The use of \u003ccode\u003ereg.exe\u003c/code\u003e makes this technique accessible to various threat actors, including ransomware groups and nation-state actors. Defenders need to monitor for this activity to prevent unauthorized credential access and potential lateral movement within the network. This rule specifically looks for \u0026ldquo;save\u0026rdquo; and \u0026ldquo;export\u0026rdquo; arguments targeting SAM and SECURITY hives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ereg.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereg.exe\u003c/code\u003e command includes arguments to save or export registry hives.\u003c/li\u003e\n\u003cli\u003eThe target registry hives are \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e, containing sensitive credential information.\u003c/li\u003e\n\u003cli\u003eThe exported registry hive is saved to a file on disk or a network share.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress or encrypt the exported registry hive to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported registry hive for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credential information from the registry hive, such as password hashes and LSA secrets, to use in lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to acquire sensitive credentials stored within the registry. This can lead to lateral movement within the network, privilege escalation, and ultimately, data exfiltration or system compromise. Compromised credentials can be used to access critical systems and data, causing significant damage to the organization. The impact is considered high due to the potential for widespread access and control over the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation auditing with command line arguments to capture the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with relevant arguments. (\u003ca href=\"https://ela.st/audit-process-creation\"\u003eData Source: Windows Security Event Logs, Sysmon\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Registry Hive Export via Reg.exe\u003c/code\u003e to your SIEM to detect the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with arguments indicative of registry hive dumping.\u003c/li\u003e\n\u003cli\u003eImplement access controls and monitor file system activity to detect unauthorized access or modification of registry hive files.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003ereg.exe\u003c/code\u003e to authorized personnel and processes.\u003c/li\u003e\n\u003cli\u003eMonitor for parent processes of \u003ccode\u003ereg.exe\u003c/code\u003e that are unusual or unexpected, which might indicate malicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the process command line, parent process, and destination of the exported registry hive.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-registry-hive-dump/","summary":"Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.","title":"Credential Acquisition via Registry Hive Dumping","url":"https://feed.craftedsignal.io/briefs/2024-01-24-registry-hive-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic\u0026rsquo;s detection ruleset, is designed to identify potential user account compromises by aggregating and analyzing existing alert data. The rule focuses on scenarios where a single user triggers multiple distinct alerts, suggesting a higher likelihood of malicious activity. By excluding low-severity alerts and known system accounts, the rule aims to minimize false positives and prioritize investigations. This approach is particularly useful in environments where attackers may attempt to blend in with normal user activity while escalating privileges or moving laterally within the network. The rule utilizes esql to correlate alerts based on user ID. The rule was last updated on 2026/04/27.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user account, potentially through phishing, credential stuffing, or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges within the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as discovering sensitive files or network shares.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses sensitive data, potentially exfiltrating it from the network.\u003c/li\u003e\n\u003cli\u003eThese actions trigger various security alerts related to privilege escalation, lateral movement, and data access.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Multiple Alerts Involving a User\u0026rdquo; rule detects the correlation between these alerts based on the user ID.\u003c/li\u003e\n\u003cli\u003eSecurity analysts are alerted to investigate the compromised user account and contain the potential damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging a compromised user account can lead to significant data breaches, financial losses, and reputational damage. The impact can range from unauthorized access to sensitive data to the complete takeover of critical systems. By identifying compromised user accounts early, organizations can mitigate the potential damage and prevent further escalation of the attack. This detection rule helps prioritize investigations and ensures that security analysts focus on the most critical threats.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMultiple Alerts Involving a User\u003c/code\u003e to your SIEM to detect potential user account compromises based on correlated alerts.\u003c/li\u003e\n\u003cli\u003eEnable audit logging on systems to capture user activity and generate alerts for suspicious actions.\u003c/li\u003e\n\u003cli\u003eReview and tune the threshold values (e.g., distinct alert count) in the Sigma rule to align with your environment and risk tolerance.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eResources: Investigation Guide\u003c/code\u003e tag to access guidance on investigating triggered alerts and identifying compromised user accounts.\u003c/li\u003e\n\u003cli\u003eImplement role-based access control (RBAC) to minimize the impact of compromised accounts by limiting access to sensitive resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-24-multiple-alerts-user/","summary":"This rule identifies when multiple different alerts involving the same user are triggered, which could indicate a compromised user account and requires further investigation.","title":"Multiple Alerts Involving a User Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-24-multiple-alerts-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","masquerading","autoit","autohotkey","kix32","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eMalware operators often rename legitimate system and scripting tools to blend in with normal system processes and bypass security measures. This rule specifically detects instances where automation script interpreters like AutoIt, AutoHotkey, and KIX32 have been renamed. By comparing the process name against the original file name embedded in the executable, this detection identifies potential attempts to masquerade malicious scripts as legitimate software. This technique is employed to bypass application whitelisting and other security controls that rely on file names or process names for identification and authorization. This detection is relevant for any Windows environment where these scripting tools are used, as it can highlight potentially malicious activity masked by a common evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops a malicious script (e.g., AutoIt, AutoHotkey, or KIX32 script) onto the target machine.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the legitimate AutoIt, AutoHotkey, or KIX32 interpreter executable to a non-standard name (e.g., \u0026ldquo;svchost.exe\u0026rdquo; or \u0026ldquo;wininit.exe\u0026rdquo;) to masquerade as a legitimate process.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed interpreter, which in turn executes the malicious script.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions, such as downloading additional malware, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system for lateral movement within the network or for data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence on the system to ensure continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful renaming of script interpreters allows attackers to execute malicious scripts undetected, potentially leading to data theft, system compromise, or further propagation within the network. The impact can range from minor disruption to significant financial loss and reputational damage, depending on the attacker\u0026rsquo;s objectives and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Renamed AutoIt Interpreter\u0026rdquo; to your SIEM to detect when AutoIt executables are renamed, focusing on \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Renamed AutoHotkey Interpreter\u0026rdquo; to your SIEM to detect when AutoHotkey executables are renamed, focusing on \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process metadata, as referenced in the rule \u003ccode\u003elogsource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the renamed executable and its associated activity as described in the \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-renamed-autoit/","summary":"Detects the renaming of automation script interpreter processes like AutoIt, AutoHotkey, and KIX32, a tactic used by malware operators to evade detection by obscuring the true nature of the executable.","title":"Renamed Automation Script Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-autoit/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","container","auditd","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies instances of \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e being executed from within containers managed by \u003ccode\u003erunc\u003c/code\u003e on Linux systems. The rule leverages Auditd Manager to monitor system calls and flags processes running with the title \u003ccode\u003erunc init\u003c/code\u003e that then execute \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e. This activity is noteworthy because attackers often use these tools to download malicious payloads (stagers, scripts, implants) or to exfiltrate data after compromising a container. While these tools can be used legitimately within containers, their execution in the context of \u003ccode\u003erunc init\u003c/code\u003e suggests a higher risk of malicious activity. The rule focuses on narrowing the signal to the container runtime boundary where unexpected download clients are more worthy of review. The rule specifically leverages Auditd Manager for data collection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a host system, possibly through exploiting a vulnerability in an application running outside the container (e.g., web application).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a containerized application running on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the container, or abuses a privileged workload within the container, to gain elevated privileges or code execution within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download additional tools or scripts into the container. These tools might include reverse shells, credential dumping tools, or data exfiltration utilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded tools to further compromise the container or the underlying host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to stage data for exfiltration to an external server. This may involve compressing and encoding data before transmission.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the data exfiltration process using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to send the staged data to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data theft, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised containers can lead to data breaches, service disruptions, and further attacks on internal systems. Successful exploitation could allow attackers to steal sensitive data, install malware, or pivot to other parts of the network, impacting confidentiality, integrity, and availability. The number of affected systems depends on the scope of the container deployment and the privileges granted to the compromised container.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Curl or Wget Execution from Container Context\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Auditd Manager with syscall coverage including \u003ccode\u003eexecve\u003c/code\u003e to capture process execution and arguments within containers, as mentioned in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with network logs to identify the destination IP addresses and domains contacted by the compromised container.\u003c/li\u003e\n\u003cli\u003eBaseline trusted images and exclude stable image digests or namespaces when noisy to reduce false positives, as suggested in the rule\u0026rsquo;s false positives section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-curl-wget-container-execution/","summary":"This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.","title":"Curl or Wget Execution from Container Context","url":"https://feed.craftedsignal.io/briefs/2024-01-curl-wget-container-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries, such as jscript.dll or vbscript.dll, it may be indicative of an allowlist bypass. Adversaries exploit WMIC to bypass security measures by executing scripts via XSL files. This technique is often used for defense evasion and execution of malicious code. The detection logic focuses on monitoring WMIC executions with atypical arguments (format*:\u003cem\u003e, /format\u003c/em\u003e:\u003cem\u003e, \u003cem\u003e-format\u003c/em\u003e:\u003c/em\u003e) in conjunction with the loading of scripting libraries, indicating potential misuse. The rule is designed for data generated by Elastic Defend and also supports Sysmon data sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes WMIC.exe or wmic.exe with suspicious arguments such as \u0026ldquo;format*:\u003cem\u003e\u0026rdquo;, \u0026ldquo;/format\u003c/em\u003e:\u003cem\u003e\u0026rdquo;, or \u0026ldquo;\u003c/em\u003e-format*:*\u0026rdquo; to leverage XSL script processing.\u003c/li\u003e\n\u003cli\u003eWMIC attempts to load scripting libraries like jscript.dll or vbscript.dll to enable script execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the loaded scripting libraries to execute malicious code embedded in an XSL file.\u003c/li\u003e\n\u003cli\u003eThe script performs various malicious actions, such as downloading additional payloads, modifying system configurations, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the WMI functionality for lateral movement or persistence within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker evades detection by abusing trusted system binaries (WMIC) and allowlisted scripting engines.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve code execution and maintain control over the compromised system for data exfiltration or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security measures and execute malicious code on compromised systems. This can lead to a range of adverse effects, including data theft, system compromise, and further propagation of malware within the network. The use of WMIC for defense evasion can make it difficult to detect malicious activity, increasing the risk of successful attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMIC XSL Script Execution\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to activate the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by reviewing process execution details and command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview the parent process of suspicious WMIC executions to understand the context and origin of the activity.\u003c/li\u003e\n\u003cli\u003eCorrelate the process.entity_id with other related events within a 2-minute window to identify any additional suspicious activities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or suspicious XSL files and scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-wmic-xsl-script-execution/","summary":"This rule detects suspicious execution of scripts via WMIC, potentially used for allowlist bypass, by identifying WMIC executions with atypical arguments and the loading of specific libraries like jscript.dll or vbscript.dll for defense evasion and execution.","title":"Suspicious WMIC XSL Script Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-22-wmic-xsl-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["ransomware","impact","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential ransomware activity through the rapid creation of ransom notes via SMB shares. The rule focuses on file creation events originating from the SYSTEM account (PID 4), targeting common ransom note file extensions like .txt, .html, .pdf, and image files. This activity suggests an attacker has achieved lateral movement and is deploying ransom notes across multiple systems. The rule aggregates events within a 60-second window to reduce false positives and focus on high-frequency creation patterns indicative of automated ransomware deployment. Successful detection can help defenders quickly identify and contain ransomware outbreaks before widespread encryption occurs. The original Elastic detection rule was published on 2024-05-03 and updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network using valid accounts or exploits. (T1021.002 - SMB/Windows Admin Shares)\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool to remotely create files over SMB. (T1021.002 - SMB/Windows Admin Shares)\u003c/li\u003e\n\u003cli\u003eThe SYSTEM account (PID 4) on a compromised host is used to create multiple files with the same name but different paths (C:*) over SMB.\u003c/li\u003e\n\u003cli\u003eThe created files have file extensions commonly associated with ransom notes: .txt, .htm, .html, .hta, .pdf, .jpg, .bmp, .png.\u003c/li\u003e\n\u003cli\u003eThe files are dropped into at least 3 unique paths within a short time frame (60 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts data and leaves the ransom notes to instruct victims on how to pay the ransom. (T1486 - Data Encrypted for Impact)\u003c/li\u003e\n\u003cli\u003eThe organization experiences data loss, financial damage, and reputational harm.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful ransomware attacks can lead to significant data loss, financial costs associated with ransom payments, recovery efforts, and reputational damage. Organizations may experience business disruption, regulatory fines, and legal liabilities. The Akira ransomware group, referenced in the original rule\u0026rsquo;s documentation, has been known to target various sectors, demanding substantial ransoms from victims. The widespread distribution of ransom notes indicates an advanced stage of the ransomware attack, necessitating immediate containment to prevent further data encryption and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Ransomware Note File Dropped via SMB\u003c/code\u003e to your SIEM to detect suspicious file creation activity indicative of ransomware deployment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend for enhanced endpoint detection and response capabilities, as recommended in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eMonitor incoming network connections to port 445 (SMB) on critical assets, as suggested in the rule\u0026rsquo;s triage analysis.\u003c/li\u003e\n\u003cli\u003eInvestigate file names with unusual extensions to identify potential ransom notes, as mentioned in the triage analysis.\u003c/li\u003e\n\u003cli\u003eIsolate any hosts identified as creating multiple note files over SMB to prevent further lateral movement and data encryption, as described in the rule\u0026rsquo;s response and remediation steps.\u003c/li\u003e\n\u003cli\u003eReview and enforce network segmentation policies to limit lateral movement and reduce the impact of potential ransomware attacks (TA0008).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-potential-ransomware-smb/","summary":"This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.","title":"Potential Ransomware Behavior - Note Files Dropped via SMB","url":"https://feed.craftedsignal.io/briefs/2024-01-22-potential-ransomware-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-sandbox","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may abuse the Windows Sandbox feature to evade detection by running malicious code within the isolated environment. This involves configuring the sandbox with sensitive options such as granting write access to the host file system, enabling network connections, and setting up automatic command execution via logon. By running within the sandbox with these configurations, malware can potentially interact with the host system, while making detection more difficult. This technique is used for defense evasion, hiding artifacts, and executing malicious activities within a virtualized environment to avoid direct exposure on the host. The rule identifies the start of a new container with sensitive configurations like write access to the host file system, network connection and automatic execution via logon command.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages Windows Sandbox by executing \u003ccode\u003ewsb.exe\u003c/code\u003e or \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the sandbox to enable networking using \u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker grants the sandbox write access to the host file system using \u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a logon command to automatically execute malicious code when the sandbox starts using \u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe sandbox initializes and executes the configured logon command.\u003c/li\u003e\n\u003cli\u003eThe malicious code interacts with the host file system and network, performing actions such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying ransomware or stealing sensitive information, while operating from within the isolated sandbox environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using Windows Sandbox abuse can lead to a range of negative impacts. Attackers may gain unauthorized access to sensitive data, compromise system integrity, or disrupt business operations. The use of the sandbox environment helps to conceal malicious activity, making detection and remediation more challenging. The damage can include data breaches, financial losses, reputational damage, and regulatory penalties. Successful exploitation allows malware to interact with the host system, potentially affecting multiple systems on the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Windows Sandbox with Sensitive Configuration\u0026rdquo; detection rule to your SIEM to identify potential sandbox abuse attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable networking (\u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable write access to the host file system (\u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that define logon commands (\u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-10T12:00:00Z","date_published":"2024-01-10T12:00:00Z","id":"/briefs/2024-01-windows-sandbox-abuse/","summary":"This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.","title":"Windows Sandbox Abuse with Sensitive Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-sandbox-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["kerberoasting","credential_access","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e class to request Kerberos service tickets. Attackers often use this technique to perform Kerberoasting, where they obtain service tickets for various service principal names (SPNs) and crack the associated service account passwords offline. This activity can be indicative of an attacker attempting to gain unauthorized access to sensitive resources within the network. The rule is designed to trigger on potentially malicious uses of \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e while attempting to filter out legitimate uses, such as those within Sentinel breakpoints or authorized Kerberos diagnostic scripts. Defenders should investigate any instances of this activity to determine whether it represents a genuine threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, potentially through phishing, compromised credentials, or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes a PowerShell script, either interactively or via a scheduled task or other means of remote execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation (Optional):\u003c/strong\u003e The PowerShell script may be obfuscated to evade detection, using techniques such as Base64 encoding or string manipulation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTicket Request:\u003c/strong\u003e The script uses the \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e class to request Kerberos service tickets for one or more SPNs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The script collects the requested service tickets and potentially saves them to a file or transmits them over the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker extracts the Kerberos hashes from the collected tickets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffline Cracking:\u003c/strong\u003e The attacker uses tools like John the Ripper or Hashcat to crack the service account passwords offline.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e Upon successfully cracking the passwords, the attacker uses the compromised credentials to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberoasting attacks can lead to the compromise of service accounts, potentially granting attackers unauthorized access to critical systems and sensitive data. The impact can range from data breaches and financial losses to complete system compromise and disruption of business operations. The rule\u0026rsquo;s medium severity reflects the potential for significant impact if the attack succeeds.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the PowerShell script content necessary for detection, and ensure the logs are being ingested into your SIEM. Reference: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003eSetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Kerberos Ticket Request\u0026rdquo; to your SIEM to detect suspicious use of \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e in PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on reconstructing the full script content, identifying the targeted SPNs, and analyzing the process execution context to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eReview Windows Security event logs on domain controllers for event ID 4769, filtering for the \u003ccode\u003eTargetUserName\u003c/code\u003e associated with the alerting user to identify related Kerberos ticket requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:45:00Z","date_published":"2024-01-09T18:45:00Z","id":"/briefs/2024-01-09-kerberos-ticket-request/","summary":"This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.","title":"PowerShell Kerberos Ticket Request via KerberosRequestorSecurityToken","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kerberos-ticket-request/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","execution","windows","dll-injection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to load malicious, unsigned DLLs into \u003ccode\u003esvchost.exe\u003c/code\u003e, a legitimate Windows service host process, to maintain persistence or escalate privileges. This technique abuses the shared service host process to execute arbitrary code with SYSTEM privileges. The \u003ccode\u003esvchost.exe\u003c/code\u003e process, which typically hosts multiple Windows services, can be targeted to load malicious DLLs from unusual file paths, potentially bypassing security measures that rely on code signing validation. This is especially concerning because \u003ccode\u003esvchost.exe\u003c/code\u003e is a trusted process, making detection more challenging. The loading of unsigned DLLs by \u003ccode\u003esvchost.exe\u003c/code\u003e from atypical directories is a strong indicator of potential malicious activity, as legitimate Windows services rarely load unsigned libraries from such locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the system through an undisclosed method (e.g., exploitation of a vulnerability or social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious, unsigned DLL on the compromised system in a non-standard directory like \u003ccode\u003eC:\\ProgramData\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry to configure a service hosted by \u003ccode\u003esvchost.exe\u003c/code\u003e to load the malicious DLL. This often involves manipulating service dependencies or service parameters.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the targeted service is manually restarted, causing \u003ccode\u003esvchost.exe\u003c/code\u003e to load the specified DLL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvchost.exe\u003c/code\u003e executes the code within the malicious DLL, now running with the privileges of the hosted service (typically SYSTEM).\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs actions such as installing backdoors, escalating privileges further, or establishing command and control (C2) communication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established C2 channel to remotely control the compromised system, exfiltrate data, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system by ensuring the malicious DLL is loaded each time the service or system starts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain persistent access to the compromised system with elevated (SYSTEM) privileges. This can lead to complete system compromise, data theft, installation of backdoors, and lateral movement within the network. The use of \u003ccode\u003esvchost.exe\u003c/code\u003e as a host for malicious DLLs makes detection more difficult, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unsigned DLLs loaded by \u003ccode\u003esvchost.exe\u003c/code\u003e, focusing on the specified file paths and code signature status.\u003c/li\u003e\n\u003cli\u003eExamine \u003ccode\u003edll.Ext.relative_file_creation_time\u003c/code\u003e to identify DLLs created shortly before being loaded to catch newly created malicious files.\u003c/li\u003e\n\u003cli\u003eReview and validate the legitimacy of all DLLs loaded by \u003ccode\u003esvchost.exe\u003c/code\u003e, focusing on those located in unusual paths.\u003c/li\u003e\n\u003cli\u003eUpdate endpoint detection and response (EDR) systems to specifically monitor for the loading of unsigned DLLs by system processes like \u003ccode\u003esvchost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eContinuously update the exclusion list of known good DLL hashes to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:30:00Z","date_published":"2024-01-09T18:30:00Z","id":"/briefs/2024-01-unsigned-dll-svchost/","summary":"Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.","title":"Unsigned DLL Loaded by Svchost for Persistence and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-unsigned-dll-svchost/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","command-and-control","web shell","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).\u003c/li\u003e\n\u003cli\u003eA web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the web shell through HTTP requests, using it as a command and control interface.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands on the server, initiating outbound network connections to non-standard ports.\u003c/li\u003e\n\u003cli\u003eThese connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to move laterally within the network, targeting other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003cli\u003eThe final objective is data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker\u0026rsquo;s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.\u003c/li\u003e\n\u003cli\u003eReview and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization\u0026rsquo;s specific network configuration and legitimate traffic patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:28:00Z","date_published":"2024-01-09T18:28:00Z","id":"/briefs/2024-01-uncommon-web-server-port/","summary":"The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.","title":"Uncommon Destination Port Connection by Web Server on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-uncommon-web-server-port/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elasticsearch"],"_cs_severities":["high"],"_cs_tags":["initial-access","network","rpc"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies RPC traffic originating from the internet, which can indicate malicious activity. RPC is used for remote system administration and resource sharing but should rarely be exposed to the internet. Threat actors frequently target RPC for initial access or as a backdoor. This rule analyzes network traffic, specifically looking for TCP connections to port 135 (a common RPC port) originating from outside the internal network. The rule aims to detect unauthorized attempts to access or control systems via RPC from external sources, enhancing network security and preventing potential breaches. The rule was last updated on 2026-04-24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker scans the internet for systems with exposed RPC services on TCP port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a TCP connection to the target system\u0026rsquo;s port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to negotiate an RPC connection, potentially exploiting vulnerabilities in the RPC service.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to execute commands remotely on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to perform reconnaissance, gathering information about the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement to other systems within the network, using the initial foothold.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or creates a backdoor for persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of exposed RPC services can lead to complete system compromise, allowing attackers to execute arbitrary commands, install malware, and steal sensitive data. This can result in data breaches, financial loss, and reputational damage. The rule aims to prevent attackers from gaining initial access to internal systems, mitigating the risk of wider network compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect RPC from Internet\u0026rdquo; to your SIEM to identify potentially malicious connections to port 135.\u003c/li\u003e\n\u003cli\u003eReview and harden systems that provide RPC services to ensure they are not directly exposed to the internet, as detected by the rule \u0026ldquo;Detect RPC from Internet\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnforce network segmentation to limit the exposure of critical systems and services, preventing RPC services from being accessible from the Internet (reference: note section in the rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the source and destination IP addresses and related network traffic logs (reference: note section in the rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:23:00Z","date_published":"2024-01-09T18:23:00Z","id":"/briefs/2024-01-09-rpc-from-internet/","summary":"This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from the internet, a common initial access vector, by monitoring network connections to TCP port 135 and filtering known internal IP ranges.","title":"Detecting External RPC Traffic for Initial Access","url":"https://feed.craftedsignal.io/briefs/2024-01-09-rpc-from-internet/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Build Engine","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","msbuild","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform commonly used by Windows developers. When MSBuild is started by an Office application like Word or Excel, it deviates from typical usage patterns. This behavior can be indicative of a malicious document executing a script payload as part of a defense evasion tactic. Attackers may leverage MSBuild to execute code or perform actions that would otherwise be blocked or detected. This activity is particularly concerning because it can bypass traditional security measures that focus on blocking suspicious executables or scripts directly launched by Office applications. The rule was created in March 2020, and last updated in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious Office document (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office document contains an embedded macro or exploit that triggers the execution of MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe is launched as a child process of the Office application (e.g., winword.exe, excel.exe, powerpnt.exe).\u003c/li\u003e\n\u003cli\u003eMSBuild executes a project file or inline task specified in the command line. This can involve compiling code, executing scripts, or performing other actions.\u003c/li\u003e\n\u003cli\u003eThe executed code or script performs malicious activities, such as downloading additional payloads, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild may spawn child processes, such as cmd.exe, powershell.exe, or other utilities, to further execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, installing malware, or gaining unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. Since MSBuild is a legitimate Microsoft tool, its use by malicious actors can make detection more challenging. The impact is high because it leverages a trusted process to carry out malicious activities, evading standard security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by an Office Application\u0026rdquo; to your SIEM to detect this specific behavior based on process creation events.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with the appropriate configuration to capture the necessary process start events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments of MSBuild.exe and the parent process information, including the executable name and command line.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for MSBuild.exe with parent processes being Office applications as a high priority indicator of potential compromise.\u003c/li\u003e\n\u003cli\u003eReview and harden Office macro settings to prevent execution of malicious macros.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:22:00Z","date_published":"2024-01-09T18:22:00Z","id":"/briefs/2024-01-msbuild-office-app/","summary":"The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.","title":"Microsoft Build Engine Started by an Office Application","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-office-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["ntlm-relay","credential-access","windows","webdav"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to coerce local NTLM authentication over HTTP through WebDAV named-pipe paths, focusing on Print Spooler and SRVSVC. Attackers can exploit this vulnerability, often combined with tools like NTLMRelay2Self, PetitPotam, or modified versions of krbrelayx\u0026rsquo;s printerbug.py, to relay the obtained credentials and escalate their privileges within the network. This technique allows attackers to bypass traditional security measures by leveraging legitimate Windows protocols for malicious purposes. Successful exploitation can lead to domain dominance and unauthorized access to sensitive resources. This activity is often associated with post-exploitation activity following initial access via other means.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003erundll32.exe\u003c/code\u003e to load \u003ccode\u003edavclnt.dll\u003c/code\u003e using the \u003ccode\u003eDavSetCookie\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erundll32.exe\u003c/code\u003e process is invoked with arguments specifying a named pipe path over HTTP, such as \u003ccode\u003ehttp*/print/pipe/*\u003c/code\u003e, \u003ccode\u003ehttp*/pipe/spoolss\u003c/code\u003e, or \u003ccode\u003ehttp*/pipe/srvsvc\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system attempts to authenticate to the specified HTTP endpoint using NTLM.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the NTLM authentication request.\u003c/li\u003e\n\u003cli\u003eUsing a relay tool like NTLMRelay2Self or ntlmrelayx, the attacker relays the captured NTLM credentials to another service or machine.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the relayed credentials to escalate privileges or gain unauthorized access to network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to escalate privileges within the compromised system and potentially the entire domain. This can lead to unauthorized access to sensitive data, deployment of ransomware, or other destructive activities. The impact ranges from data breaches and financial losses to complete system compromise. Depending on the targeted accounts, the attacker may be able to achieve domain administrator privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Local NTLM Relay via HTTP\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003erundll32.exe\u003c/code\u003e with specific arguments indicative of NTLM relay attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes that load \u003ccode\u003edavclnt.dll\u003c/code\u003e to identify potential NTLM relay traffic.\u003c/li\u003e\n\u003cli\u003eInvestigate and block the usage of tools like NTLMRelay2Self, PetitPotam, and ntlmrelayx within the environment.\u003c/li\u003e\n\u003cli\u003eImplement mitigations for NTLM relay attacks, such as enabling Extended Protection for Authentication (EPA) and disabling NTLM where possible.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of WebClient service and Print Spooler service where not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-ntlm-relay-http/","summary":"Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.","title":"Potential Local NTLM Relay via HTTP","url":"https://feed.craftedsignal.io/briefs/2024-01-ntlm-relay-http/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","CCleaner","ManageEngine UEMS Agent","ManageEngine DesktopCentral Agent"],"_cs_severities":["medium"],"_cs_tags":["persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","ManageEngine","CCleaner","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAdversaries may abuse scheduled tasks to maintain persistence on a compromised system. This involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. This activity can be used to ensure that the attacker\u0026rsquo;s code remains active even after a system restart or user logout. The detection rule identifies suspicious job creation by monitoring specific file paths and extensions, excluding known legitimate processes to flag potential abuse. The rule is designed for data generated by Elastic Defend, but also supports Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or program to create a new scheduled job within the \u003ccode\u003eC:\\Windows\\Tasks\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe scheduled job is configured to execute a malicious payload at a specified time or interval.\u003c/li\u003e\n\u003cli\u003eThe malicious payload could be a script (e.g., PowerShell) or an executable.\u003c/li\u003e\n\u003cli\u003eThe scheduled job executes, triggering the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain a persistent presence on the compromised system. This allows them to execute malicious code, steal sensitive information, or perform other malicious activities over an extended period. The number of affected systems can vary depending on the scope of the initial compromise and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to monitor file creation events on Windows systems.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Scheduled Job Creation\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on scheduled jobs created in the \u003ccode\u003eC:\\Windows\\Tasks\\\u003c/code\u003e directory with a \u0026ldquo;.job\u0026rdquo; extension.\u003c/li\u003e\n\u003cli\u003eReview and update exclusion lists for known legitimate scheduled job creation processes (e.g., CCleaner, ManageEngine) to minimize false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-scheduled-job-persistence/","summary":"This detection rule identifies attempts to establish persistence on Windows systems by creating scheduled jobs in the Windows Tasks directory, excluding known legitimate jobs.","title":"Persistence via Scheduled Job Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-09-scheduled-job-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis rule identifies attempts to access the LSASS process via Windows API calls, specifically \u003ccode\u003eOpenProcess\u003c/code\u003e, \u003ccode\u003eOpenThread\u003c/code\u003e, and \u003ccode\u003eReadProcessMemory\u003c/code\u003e. The Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Attackers often target LSASS to dump credentials from memory for lateral movement and privilege escalation. This detection focuses on identifying unusual processes attempting to access the LSASS process, excluding common legitimate applications and directories. The rule leverages data from Elastic Defend and Microsoft Defender XDR to identify suspicious activity and provide defenders with actionable alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges to gain administrative rights.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a custom tool or script to call the \u003ccode\u003eOpenProcess\u003c/code\u003e, \u003ccode\u003eOpenThread\u003c/code\u003e or \u003ccode\u003eReadProcessMemory\u003c/code\u003e Windows APIs.\u003c/li\u003e\n\u003cli\u003eThe tool targets the \u003ccode\u003elsass.exe\u003c/code\u003e process to obtain a handle for memory access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained handle to read LSASS memory, searching for credential data.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts usernames, passwords, and other sensitive information from the dumped memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive resources. This can result in data breaches, system compromise, and significant financial or reputational damage. The rule aims to detect these attacks early, limiting the scope of the potential compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;LSASS API Access by Non-Standard Process\u0026rdquo; to your SIEM and tune for your environment to detect suspicious access to the LSASS process.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by this rule, focusing on the process execution chain and the access rights requested as documented in the provided Microsoft documentation.\u003c/li\u003e\n\u003cli\u003eEnable process creation and API call logging via Elastic Defend or Microsoft Defender XDR to provide the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview and harden LSASS protection mechanisms such as Credential Guard to minimize the risk of successful credential dumping.\u003c/li\u003e\n\u003cli\u003eImplement the Osquery queries to gather system information like DNS cache, services, and unsigned executables, to aid in investigation and threat hunting.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-lsass-process-access/","summary":"Detection of access attempts to the LSASS handle, indicating potential credential dumping by monitoring API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting lsass.exe.","title":"LSASS Process Access via Windows API","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-process-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","privilege-escalation","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by WerFault.exe, the Windows Error Reporting tool. Attackers can abuse WerFault by manipulating the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key to execute malicious processes. This technique allows for defense evasion, persistence, and privilege escalation. The detection focuses on WerFault processes with specific command-line arguments (\u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e) known to be used in SilentProcessExit exploitation, while excluding legitimate executables like \u003ccode\u003eInitcrypt.exe\u003c/code\u003e and \u003ccode\u003eHeimdal.Guard.exe\u003c/code\u003e. The rule helps defenders identify potential attempts to hijack the error reporting mechanism for malicious purposes. The monitored data sources include Windows Event Logs, Sysmon, Elastic Defend, Microsoft Defender XDR, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key to specify a malicious process to be executed when a target application crashes. This involves setting the \u003ccode\u003eReportingMode\u003c/code\u003e and \u003ccode\u003eDebugger\u003c/code\u003e values under the \u003ccode\u003eSilentProcessExit\u003c/code\u003e key for the target application.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a crash in the target application or waits for a legitimate crash to occur.\u003c/li\u003e\n\u003cli\u003eWerFault.exe is invoked to handle the application crash.\u003c/li\u003e\n\u003cli\u003eDue to the registry modification, WerFault.exe spawns the attacker-controlled process, passing command-line arguments such as \u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled process executes with the privileges of WerFault.exe, potentially achieving privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe malicious process performs actions such as injecting code into other processes, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as maintaining persistence, escalating privileges, or evading detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to persistence, privilege escalation, and defense evasion. Attackers can use this technique to execute malicious code with elevated privileges, potentially bypassing security controls and gaining unauthorized access to sensitive data and system resources. The number of victims and affected sectors can vary depending on the attacker\u0026rsquo;s objectives and the scope of the initial compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture WerFault.exe child processes (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;WerFault Child Process Masquerading\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eSilentProcessExit\u003c/code\u003e registry key for unauthorized modifications (registry_set event).\u003c/li\u003e\n\u003cli\u003eInvestigate any WerFault.exe processes with command-line arguments \u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e-t\u003c/code\u003e, and \u003ccode\u003e-c\u003c/code\u003e (process_creation event).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-werfault-child-process/","summary":"This rule detects suspicious child processes of WerFault.exe, a Windows error reporting tool, indicating potential abuse of the SilentProcessExit registry key to execute malicious processes stealthily for defense evasion, persistence, and privilege escalation.","title":"Suspicious WerFault Child Process Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-09-werfault-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-access","lsass","process-injection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies the creation of an LSASS process clone via \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e on Windows systems. The rule focuses on scenarios where the parent process of the new LSASS instance is also \u003ccode\u003elsass.exe\u003c/code\u003e. This behavior is often associated with attackers attempting to bypass security controls and dump LSASS memory to extract credentials. The technique is used to evade detection mechanisms that monitor the primary LSASS process. Successful exploitation can lead to the compromise of domain or local credentials stored in memory, allowing for lateral movement and privilege escalation within the network. The detection is based on Windows Security Event Logs, specifically event code 4688, and is designed to identify this specific cloning behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the target system, potentially using tools like PowerShell or command-line utilities.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a process to clone the LSASS process using \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newly created process, a clone of LSASS, runs alongside the original.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the cloned LSASS process to dump its memory. This may involve tools like \u003ccode\u003ecomsvcs.dll\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e or custom scripts leveraging the MiniDumpWriteDump function.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the dumped memory, including usernames, passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally within the network, accessing additional systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can result in the compromise of sensitive credentials stored in LSASS memory, including domain and local account credentials. This can lead to unauthorized access to critical systems and data, potentially resulting in data breaches, financial loss, and reputational damage. Domain controllers, jump hosts, and systems with privileged accounts are at especially high risk. The number of affected systems can range from a single machine to a large portion of the network, depending on the attacker\u0026rsquo;s objectives and the scope of the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Security Event Logs with event code 4688 for process creation events, specifically focusing on the process and parent process names to identify LSASS cloning attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potential LSASS clone creation via \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e. Tune the rule for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the processes involved in cloning and dumping LSASS memory.\u003c/li\u003e\n\u003cli\u003eEnable Audit Process Creation and Command Line logging as per the Elastic documentation to ensure the events used by the provided Sigma rules are captured.\u003c/li\u003e\n\u003cli\u003eIf a LSASS clone is detected, review authentication events (4624, 4648, 4625) on the affected host to identify any suspicious logons or credential usage.\u003c/li\u003e\n\u003cli\u003eMonitor for file activity related to memory dumps (e.g., .dmp files) using the process clone to identify potential credential theft attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-lsass-clone-creation/","summary":"Detection of LSASS process cloning using PssCaptureSnapShot, where the parent process is also LSASS, indicating a potential attempt to dump LSASS memory for credential access.","title":"Potential LSASS Clone Creation via PssCaptureSnapShot","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-clone-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Endgame","Kaspersky Security for Windows Server","Desktop Central Agent","SAP NW Setup"],"_cs_severities":["medium"],"_cs_tags":["persistence","app-compat","shim","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SAP","Kaspersky","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can exploit the Windows Application Compatibility Shim functionality to maintain persistence and execute arbitrary code within legitimate Windows processes. This is achieved by installing custom shim databases, which are designed to ensure older applications run smoothly on newer operating systems. By manipulating these databases, attackers can stealthily inject malicious code into trusted processes. The rule detects changes in specific registry paths associated with the installation of these databases, excluding known legitimate processes to minimize false positives. This technique allows for the execution of malicious code without directly modifying the target application\u0026rsquo;s executable, making it difficult to detect with traditional methods.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to create a new entry for a custom shim database. The registry path targeted is typically under \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker writes a malicious \u003ccode\u003e.sdb\u003c/code\u003e file containing the custom shim database to a location on disk.\u003c/li\u003e\n\u003cli\u003eThe registry entry created points to the malicious \u003ccode\u003e.sdb\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eWhen a targeted application is launched, Windows checks the AppCompatFlags registry keys.\u003c/li\u003e\n\u003cli\u003eThe system loads the malicious shim database specified in the registry.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the shim database is executed in the context of the targeted application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, as the malicious shim database is loaded every time the targeted application is run.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to the system, even after reboots or software updates. The injected code runs within the context of a legitimate process, which can evade detection by traditional security tools. This can lead to data theft, system compromise, or further malicious activities, such as lateral movement within the network. The use of application shimming for persistence affects systems running Windows and can impact organizations of any size or sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Custom Shim Database Installation\u003c/code\u003e to your SIEM to identify suspicious registry modifications related to application shimming.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes that are not in the exclusion list.\u003c/li\u003e\n\u003cli\u003eBlock or quarantine any identified malicious \u003ccode\u003e.sdb\u003c/code\u003e files to prevent further execution.\u003c/li\u003e\n\u003cli\u003eReview and update the exclusion list in the Sigma rule with any newly identified legitimate applications that use shim databases, reducing false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-app-compat-shim-persistence/","summary":"Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.","title":"Detection of Custom Shim Database Installation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-09-app-compat-shim-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["container","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies a potential privilege escalation vulnerability within container environments utilizing \u003ccode\u003erunc\u003c/code\u003e, the low-level container runtime used by Docker and containerd. The rule focuses on audit events triggered by \u003ccode\u003erunc init\u003c/code\u003e child processes. Specifically, it flags instances where the effective user ID is root (0), while the login user ID is not root. This discrepancy can indicate malicious activity, such as exploiting credential separation or namespace transitions to gain unauthorized root privileges within the container or escape to the host. This is relevant for defenders because a compromised container can lead to host compromise, data exfiltration, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a container with limited privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the container to execute code as the \u003ccode\u003erunc init\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erunc init\u003c/code\u003e process spawns a child process while retaining a non-root user ID in audit telemetry.\u003c/li\u003e\n\u003cli\u003eThe child process is assigned an effective user ID of 0 (root), bypassing normal permission controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to modify sensitive files or execute commands as root within the container\u0026rsquo;s namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to escape the container by exploiting kernel vulnerabilities or misconfigurations to gain access to the host system.\u003c/li\u003e\n\u003cli\u003eUpon gaining access to the host system, the attacker can install malware, steal sensitive data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack within a container environment can lead to complete compromise of the container and potentially the host system. This can result in data breaches, service disruptions, and unauthorized access to sensitive resources. The impact is significant because a single compromised container can become a launchpad for attacks against other containers or the underlying infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Privilege Escalation via Runc Init\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003erunc init\u003c/code\u003e process executions.\u003c/li\u003e\n\u003cli\u003eEnable Linux audit logging via the Auditd Manager integration, ensuring that \u003ccode\u003eexecve\u003c/code\u003e and identity-related fields are captured.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the full audit event details, including process ancestry, user IDs, and container metadata.\u003c/li\u003e\n\u003cli\u003eReview container configurations and security profiles to identify potential misconfigurations that could facilitate privilege escalation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a compromised container.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-05T14:22:00Z","date_published":"2024-01-05T14:22:00Z","id":"/briefs/2024-01-runc-privilege-escalation/","summary":"Detection of runc init child processes with root effective user and non-root login user ID, indicating potential container privilege escalation.","title":"Potential Privilege Escalation in Container via Runc Init","url":"https://feed.craftedsignal.io/briefs/2024-01-runc-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["execution","initial-access","defense-evasion","discovery"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PDF reader applications as an initial access vector, exploiting vulnerabilities within these programs or using social engineering to trick users into opening malicious PDF documents. Upon successful exploitation, adversaries often spawn built-in Windows utilities from the compromised PDF reader process to perform reconnaissance, escalate privileges, or establish persistence. This activity is designed to blend in with normal system operations, making it difficult to detect without specific monitoring and detection rules. The targeted software commonly includes Adobe Acrobat, Adobe Reader, and Foxit Reader. Defenders should be vigilant for unexpected child processes of PDF readers, especially command-line interpreters and system administration tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious PDF document via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe user opens the PDF document using a vulnerable PDF reader application (e.g., Adobe Acrobat, Foxit Reader).\u003c/li\u003e\n\u003cli\u003eThe PDF document exploits a vulnerability or uses a malicious script to execute an arbitrary command.\u003c/li\u003e\n\u003cli\u003eThe PDF reader application spawns a command-line interpreter (e.g., cmd.exe, powershell.exe) or a system administration tool (e.g., reg.exe, net.exe).\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands to gather system information (e.g., ipconfig.exe, systeminfo.exe, whoami.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to discover network configuration, user accounts, or running processes.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the spawned process to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and can proceed with lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PDF reader applications can lead to initial access, privilege escalation, and further compromise of the affected system. While individual incidents may have a low risk score, widespread exploitation can lead to significant data breaches, system downtime, and reputational damage. The use of legitimate system utilities for malicious purposes can make detection challenging, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of suspicious child processes (Sysmon Event ID 1, Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious PDF Reader Child Process\u0026rdquo; to your SIEM and tune for your environment to detect the execution of suspicious processes spawned by PDF reader applications.\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from PDF reader applications to unusual or external IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T18:45:00Z","date_published":"2024-01-04T18:45:00Z","id":"/briefs/2024-01-suspicious-pdf-child-process/","summary":"Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.","title":"Suspicious PDF Reader Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-pdf-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["phishing","execution","url-file","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers commonly use .url shortcut files in phishing campaigns to deliver malicious payloads. These files, when downloaded from non-local sources, may bypass traditional security measures. This detection rule identifies such files by monitoring their creation events on Windows systems. The rule focuses on files with the .url extension and a zone identifier indicating they originated from outside the local network. These files are often delivered via email or malicious websites, tricking users into clicking them, which can lead to the execution of arbitrary commands or the redirection to malicious websites. This technique allows attackers to gain initial access or execute malicious code on the victim\u0026rsquo;s machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email or a malicious website containing a link to a .url file.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link, resulting in the download of the .url file to their Windows system.\u003c/li\u003e\n\u003cli\u003eThe .url file is created on the filesystem, triggering a file creation event.\u003c/li\u003e\n\u003cli\u003eThe operating system assigns a Zone Identifier to the file, marking it as originating from an external source.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the .url file, which contains a URL pointing to a malicious website or an executable.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to open the URL using the default web browser or execute the embedded command.\u003c/li\u003e\n\u003cli\u003eIf the URL points to a malicious website, the victim may be prompted to download and execute malware.\u003c/li\u003e\n\u003cli\u003eThe malware executes, potentially leading to system compromise, data theft, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary commands, redirection to malicious websites, and subsequent malware infection. If successful, attackers can compromise user systems, steal sensitive information, or establish a foothold for further malicious activities within the organization\u0026rsquo;s network. The impact can range from individual system compromise to broader network breaches, depending on the attacker\u0026rsquo;s objectives and the extent of the infection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDownloaded URL Files Created\u003c/code\u003e to your SIEM to detect the creation of downloaded .url files with a non-local Zone Identifier and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003efile creation\u003c/code\u003e events where \u003ccode\u003efile.extension == \u0026quot;url\u0026quot;\u003c/code\u003e and \u003ccode\u003efile.Ext.windows.zone_identifier == 3\u003c/code\u003e using the provided investigation steps in the advisory.\u003c/li\u003e\n\u003cli\u003eUpdate security policies and endpoint protection configurations to block the download and execution of .url files from untrusted sources, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eEducate users on safe downloading practices and the risks associated with opening .url files from untrusted sources, as highlighted in the advisory\u0026rsquo;s false positive analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T17:49:12Z","date_published":"2024-01-04T17:49:12Z","id":"/briefs/2024-01-downloaded-url-files/","summary":"This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.","title":"Detection of Downloaded URL Files Used in Phishing Campaigns","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-url-files/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["m365_defender","Elastic Defend","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["process_injection","privilege_escalation","defense_evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Service Host process (svchost.exe) is a critical system component that hosts multiple Windows services to optimize resource utilization. Certain services running under svchost.exe are not expected to spawn child processes. Attackers may inject malicious code into these \u0026ldquo;childless\u0026rdquo; svchost processes to execute unauthorized commands and evade traditional detection methods. This detection rule identifies anomalies by monitoring child processes of svchost.exe instances associated with services known to be childless, such as \u003ccode\u003eWdiSystemHost\u003c/code\u003e, \u003ccode\u003eLicenseManager\u003c/code\u003e, and \u003ccode\u003eStorSvc\u003c/code\u003e, flagging potential process injection or exploitation attempts. The rule aims to identify deviations from the expected behavior of these services, providing an early warning of potential malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through an exploit or by leveraging existing credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a running svchost.exe process associated with a childless service like \u003ccode\u003eWdiSystemHost\u003c/code\u003e or \u003ccode\u003eStorSvc\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected code spawns a child process from the targeted svchost.exe instance. This could involve executing a system utility or a custom payload.\u003c/li\u003e\n\u003cli\u003eThe child process executes commands or performs actions dictated by the injected code, such as establishing a reverse shell or downloading additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the spawned process to perform reconnaissance activities, gathering information about the system and network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, potentially leveraging vulnerabilities or misconfigurations accessible from the compromised svchost process.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network, using the compromised system as a pivot point.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to privilege escalation, allowing attackers to gain control of the compromised system and potentially the entire network. Attackers can use the compromised system as a staging ground for further attacks, exfiltrate sensitive data, deploy ransomware, or disrupt critical services. The medium severity score reflects the potential for significant impact if the activity is not detected and contained promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual Svchost Child Process - Childless Service\u003c/code\u003e to your SIEM to detect potential process injection attacks targeting svchost.exe.\u003c/li\u003e\n\u003cli\u003eTune the rule by adding known false positives to the exclusion list, such as \u003ccode\u003eWerFault.exe\u003c/code\u003e, \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e, and \u003ccode\u003ewermgr.exe\u003c/code\u003e to reduce alert fatigue.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon (Event ID 1) with command line details for better visibility into spawned processes, as described in the \u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003esetup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on the process details and parent-child relationships to determine the legitimacy of the spawned process.\u003c/li\u003e\n\u003cli\u003eConsider using endpoint detection and response (EDR) solutions like Elastic Defend for enhanced visibility and automated response capabilities, as the rule is designed for data generated by \u003ca href=\"https://www.elastic.co/security/endpoint-security\"\u003eElastic Defend\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-unusual-svchost-child-process/","summary":"This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.","title":"Unusual Service Host Child Process - Childless Service","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-svchost-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","windows","diskcleanup","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e executables with specific arguments (\u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates a scheduled task to execute \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task is triggered, executing the specified executable with the supplied arguments.\u003c/li\u003e\n\u003cli\u003eThe executable, such as \u003ccode\u003ecleanmgr.exe\u003c/code\u003e, attempts to run Disk Cleanup.\u003c/li\u003e\n\u003cli\u003eIf the executable path is outside the standard locations (e.g., \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e), it indicates a potential hijack.\u003c/li\u003e\n\u003cli\u003eMalicious code is executed with elevated privileges due to the UAC bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup with Suspicious Path\u0026rdquo; to your SIEM and tune for your environment to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup and Taskhostw\u0026rdquo; to your SIEM to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ecleanmgr.exe\u003c/code\u003e and \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments, focusing on executions outside the standard system directories.\u003c/li\u003e\n\u003cli\u003eReview and harden scheduled tasks to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnsure that UAC settings are properly configured and enforced across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-uac-bypass-diskcleanup/","summary":"Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.","title":"UAC Bypass via DiskCleanup Scheduled Task Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-diskcleanup/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","eventlog"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers often disable Windows Event and Security Logs to evade detection on compromised systems. This activity involves tampering with, clearing, and deleting event log data to break SIEM detections, cover their tracks, and slow down incident response. The methods employed include using the \u003ccode\u003elogman\u003c/code\u003e utility, PowerShell commands to disable the EventLog service, or \u003ccode\u003eauditpol\u003c/code\u003e to disable auditing. These actions are typically performed after initial access and privilege escalation to hinder forensic investigations and maintain persistence within the environment. Defenders should monitor for these specific tools and command-line arguments to identify potential attempts to disable logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to administrator level to gain the necessary permissions to modify event logging settings.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003elogman.exe\u003c/code\u003e with arguments to stop or delete EventLog traces (e.g., \u003ccode\u003elogman.exe stop EventLog-*\u003c/code\u003e, \u003ccode\u003elogman.exe delete EventLog-*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses PowerShell with \u003ccode\u003eSet-Service\u003c/code\u003e cmdlet to disable the EventLog service (e.g., \u003ccode\u003epowershell.exe Set-Service EventLog -StartupType Disabled\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker can also use \u003ccode\u003eauditpol.exe\u003c/code\u003e to disable auditing policies, preventing future events from being logged (e.g., \u003ccode\u003eauditpol.exe /success:disable\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAfter disabling logging, the attacker performs malicious activities such as lateral movement, data exfiltration, or malware deployment, with a reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe attacker removes traces of their activity from other logs if possible.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and continues to exploit the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Event and Security Logs can severely hinder incident response and forensic investigations. The absence of log data makes it difficult to detect ongoing malicious activity, understand the scope of the compromise, and attribute the attack. This can lead to prolonged dwell time for attackers, increased data exfiltration, and greater overall damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disable Windows Event and Security Logs Using Built-in Tools\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003elogman.exe\u003c/code\u003e, PowerShell, and \u003ccode\u003eauditpol.exe\u003c/code\u003e with specific arguments related to disabling event logs.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003elogman.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003epowershell_ise.exe\u003c/code\u003e, and \u003ccode\u003eauditpol.exe\u003c/code\u003e with command-line arguments that indicate an attempt to disable event logging.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed command-line arguments for process monitoring.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Group Policy settings related to event logging to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor for changes to the EventLog service configuration, including startup type and status, using system monitoring tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T10:00:00Z","date_published":"2024-01-04T10:00:00Z","id":"/briefs/2024-01-disable-windows-logs/","summary":"Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.","title":"Disable Windows Event and Security Logs Using Built-in Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-windows-logs/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","PowerShell"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","powershell","remoting"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement through the exploitation of Windows PowerShell remoting. PowerShell remoting is a feature that enables administrators and attackers to execute commands on remote Windows systems. The detection focuses on identifying incoming network connections on ports 5985 (HTTP) and 5986 (HTTPS), the default ports used for PowerShell Remoting, followed by the execution of processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e, the Windows Remote Management process host. This activity, when originating from unexpected sources, may indicate unauthorized access and lateral movement within a network. The rule is designed to detect suspicious activity by monitoring network traffic and process execution, flagging potential unauthorized remote executions, and enabling security teams to respond swiftly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network, possibly through phishing or exploiting a vulnerability on an internet-facing system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell remoting to initiate a connection to a target system on ports 5985 or 5986.\u003c/li\u003e\n\u003cli\u003eThe target system accepts the incoming PowerShell Remoting connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e process is launched on the target system to facilitate the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands remotely, spawning child processes from \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally to other systems within the network using the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003ePsExec\u003c/code\u003e over the remote PowerShell session to further propagate.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware, by leveraging the established remote session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PowerShell Remoting for lateral movement can lead to widespread compromise within an organization. An attacker could gain control over multiple systems, potentially leading to data breaches, system outages, or ransomware deployment. The number of affected systems could range from a few critical servers to a significant portion of the network, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. The impact could include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eIncoming Execution via PowerShell Remoting\u003c/code\u003e to your SIEM to detect suspicious PowerShell remoting activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to ports 5985 and 5986, and investigate any unauthorized or unexpected traffic using the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eInvestigate processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e for unusual or malicious activity using the \u003ccode\u003eprocess_creation\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eWhitelist authorized administrative IP addresses or user accounts that frequently perform remote management tasks, as mentioned in the false positives analysis.\u003c/li\u003e\n\u003cli\u003eReview and document automated scripts or scheduled tasks that use PowerShell Remoting for system maintenance, then create exceptions for their specific process names or execution paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:53:23Z","date_published":"2024-01-03T18:53:23Z","id":"/briefs/2024-01-03-powershell-remoting/","summary":"This rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.","title":"Incoming Execution via PowerShell Remoting","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-remoting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft HTML Help system","Elastic Defend","Microsoft Defender XDR","Sysmon","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","compiled-html","windows","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers are known to deliver malicious payloads within compiled HTML files (.chm) to bypass security measures and gain initial access to systems. This technique leverages the Microsoft HTML Help system and its associated executable, hh.exe, to proxy the execution of malicious code. Compiled HTML files can contain various types of content, including HTML documents, images, and scripting languages like VBA, JScript, Java, and ActiveX. By embedding malicious scripts or executables within a .chm file, attackers can trick users into executing them when they open the file. This is particularly effective because hh.exe is a signed binary, which may allow it to bypass certain security controls. The scope of this technique affects Windows systems where the HTML Help system is installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .chm file containing embedded malicious code, such as a PowerShell script or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the .chm file to the victim via social engineering, such as phishing or malicious websites.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .chm file, causing hh.exe to launch.\u003c/li\u003e\n\u003cli\u003ehh.exe processes the .chm file, rendering its content, which includes the embedded malicious script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, often spawning a scripting interpreter like \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe scripting interpreter executes commands to download additional payloads or perform malicious actions on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and moves laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, code execution, and potentially full system compromise. This can result in data theft, malware installation, and further lateral movement within the network. The severity and impact depend on the permissions of the user running hh.exe and the nature of the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Compiled HTML File Spawning Suspicious Processes\u0026rdquo; to your SIEM to detect instances where \u003ccode\u003ehh.exe\u003c/code\u003e is the parent process of scripting interpreters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process execution chains for unknown processes originating from \u003ccode\u003ehh.exe\u003c/code\u003e, as mentioned in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement email filtering and security awareness training to prevent users from opening malicious .chm files delivered via phishing.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted executables in the environment to reduce the risk of malicious code execution.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to detect and respond to malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-compiled-html-execution/","summary":"Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.","title":"Process Activity via Compiled HTML File Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["phishing","lnk","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious .lnk files created on Windows systems, especially those downloaded from external sources, which may indicate potential phishing attempts. The rule leverages file creation events and zone identifiers to trace the file\u0026rsquo;s origin. Adversaries exploit shortcut files by embedding malicious commands within them, often distributing these files via phishing campaigns. This can lead to arbitrary code execution upon user interaction. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser receives a phishing email containing a malicious .lnk file.\u003c/li\u003e\n\u003cli\u003eThe user downloads the .lnk file to their Windows system.\u003c/li\u003e\n\u003cli\u003eThe Windows OS marks the file with a Zone Identifier indicating it came from an external source.\u003c/li\u003e\n\u003cli\u003eThe user double-clicks the .lnk file, triggering its execution.\u003c/li\u003e\n\u003cli\u003eThe .lnk file executes embedded commands, such as PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eThe command downloads and executes a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access and control over the infected host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of the user\u0026rsquo;s system, potentially resulting in data theft, malware installation, or further propagation of the attack within the network.  The severity of the impact depends on the privileges of the compromised user account and the attacker\u0026rsquo;s objectives. The rule aims to detect and prevent such attacks early in the attack chain, reducing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Downloaded Shortcut Files\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to capture the necessary file creation events for the rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, paying close attention to the file path, zone identifier, and associated user account.\u003c/li\u003e\n\u003cli\u003eUpdate security policies to restrict the execution of .lnk files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious attachments, especially .lnk files, to prevent initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:32Z","date_published":"2024-01-03T18:22:32Z","id":"/briefs/2024-01-downloaded-lnk/","summary":"This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.","title":"Detection of Downloaded Shortcut Files","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-lnk/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["credential-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies the creation of symbolic links to shadow copies on Windows systems. Attackers use this technique to gain access to sensitive files stored within shadow copies, including the ntds.dit file (containing password hashes), system boot keys, and browser offline credentials. This approach allows them to bypass normal file access controls and extract credentials for lateral movement or privilege escalation. The detection rule is designed to ingest data from various sources, including Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs, providing broad coverage across different endpoint security solutions. The activity is typically initiated by command-line tools like cmd.exe or powershell.exe, making detection through process monitoring feasible. This technique is particularly relevant as it targets credential dumping, a critical stage in many attack campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative rights, which are required to create shadow copies and symbolic links.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a volume shadow copy using \u003ccode\u003evssadmin.exe\u003c/code\u003e or similar tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emklink\u003c/code\u003e command or PowerShell \u003ccode\u003eNew-Item -ItemType SymbolicLink\u003c/code\u003e to create a symbolic link to the shadow copy path.\u003c/li\u003e\n\u003cli\u003eThe symbolic link points to a directory within the shadow copy containing sensitive files like \u003ccode\u003entds.dit\u003c/code\u003e or browser credential stores.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the targeted sensitive files (e.g., \u003ccode\u003entds.dit\u003c/code\u003e) from the shadow copy using the symbolic link.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the shadow copy to cover their tracks, although the symbolic link creation remains as evidence.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials from the copied \u003ccode\u003entds.dit\u003c/code\u003e file offline for use in lateral movement or further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to sensitive credentials stored on the compromised system. This can lead to lateral movement within the network, privilege escalation, and ultimately, the compromise of critical assets. If the \u003ccode\u003entds.dit\u003c/code\u003e file is accessed, the entire Active Directory domain could be at risk, potentially affecting thousands of users and systems. This type of attack is particularly damaging as it allows attackers to operate undetected for extended periods while they harvest credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Symbolic Link to Shadow Copy Created via Cmd\u0026rdquo; to detect the creation of symbolic links to shadow copies via \u003ccode\u003ecmd.exe\u003c/code\u003e (rules).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Symbolic Link to Shadow Copy Created via PowerShell\u0026rdquo; to detect the creation of symbolic links to shadow copies via \u003ccode\u003epowershell.exe\u003c/code\u003e (rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) logging to provide necessary data for the Sigma rules to function correctly (setup).\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;Investigating Symbolic Link to Shadow Copy Created\u0026rdquo; section in the rule\u0026rsquo;s notes for triage and analysis steps when the rule triggers.\u003c/li\u003e\n\u003cli\u003eMonitor for the usage of \u003ccode\u003emklink\u003c/code\u003e command with the \u003ccode\u003eHarddiskVolumeShadowCopy\u003c/code\u003e argument in process command lines.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-shadow-copy-symlink/","summary":"Adversaries may create symbolic links to shadow copies to access sensitive files such as ntds.dit and browser credentials, enabling credential dumping using cmd.exe or powershell.exe.","title":"Symbolic Link Creation to Shadow Copies for Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-01-shadow-copy-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eInstallUtil.exe is a legitimate Windows utility used for installing and uninstalling server resources. Adversaries abuse InstallUtil.exe to execute malicious code under the guise of legitimate processes, often to evade detection. This technique allows attackers to proxy execution through a trusted system binary, potentially bypassing application control and security monitoring. The detection rule identifies suspicious network activity by monitoring InstallUtil.exe\u0026rsquo;s outbound connections, flagging potential misuse by alerting on the initial network connection attempt. This activity is detected via the Elastic EQL rule \u0026ldquo;InstallUtil Process Making Network Connections.\u0026rdquo;\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through an undisclosed method.\u003c/li\u003e\n\u003cli\u003eThe attacker uses InstallUtil.exe to execute a malicious .NET assembly.\u003c/li\u003e\n\u003cli\u003eInstallUtil.exe loads the malicious assembly into its process.\u003c/li\u003e\n\u003cli\u003eThe malicious assembly executes code that establishes an outbound network connection.\u003c/li\u003e\n\u003cli\u003eThe connection is used for command and control (C2) or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the C2 channel to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution within the context of a trusted Windows process (InstallUtil.exe), bypassing application control and potentially evading detection. This could result in a compromised system, data exfiltration, or further malicious activities within the network. The scope of impact depends on the attacker\u0026rsquo;s objectives and the level of access gained, potentially affecting entire organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and network connection logging via Sysmon or Elastic Defend to provide the data needed for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;InstallUtil Network Connection\u0026rdquo; to your SIEM and tune for your environment to detect suspicious outbound network connections from InstallUtil.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by examining the parent process of InstallUtil.exe, destination IP addresses, and associated activities.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring and alerting for unusual outbound connections from critical systems to enhance detection of similar threats in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-installutil-network-connection/","summary":"Detection of InstallUtil.exe making outbound network connections, which can indicate adversaries leveraging it to execute code and evade detection by proxying execution through a trusted system binary.","title":"InstallUtil Process Making Network Connections for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-installutil-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Edge","Chrome","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","windows","browser-exploitation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies instances where a browser process, specifically Google Chrome or Microsoft Edge, is initiated from an unexpected parent process on a Windows system. The rule focuses on scenarios where browsers are launched with arguments indicative of remote debugging, headless automation, or minimal user interaction. Such activity can signal an attempt to manipulate a browser session for malicious purposes, potentially leading to credential theft or unauthorized access to sensitive information. The rule is designed to leverage data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Process Creation Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or command to launch a browser process (chrome.exe or msedge.exe).\u003c/li\u003e\n\u003cli\u003eThe browser is launched with specific command-line arguments, such as \u003ccode\u003e--remote-debugging-port\u003c/code\u003e, \u003ccode\u003e--headless\u003c/code\u003e, or \u003ccode\u003e--window-position=-x,-y\u003c/code\u003e, to enable remote control or hide the browser window.\u003c/li\u003e\n\u003cli\u003eThe parent process of the browser is an unusual executable, not typically associated with launching browsers (e.g., not explorer.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the remote debugging port to interact with the browser session programmatically.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to steal credentials or session cookies from the browser.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen credentials to access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the theft of user credentials, enabling unauthorized access to sensitive data and systems. This could result in financial loss, data breaches, and reputational damage for affected organizations. The targeted use of browser manipulation techniques increases the likelihood of bypassing traditional security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eBrowser Process Spawned from Unusual Parent\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eBrowser Process Spawned from Unusual Parent\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview process command lines for arguments like \u003ccode\u003e--remote-debugging-port\u003c/code\u003e or \u003ccode\u003e--headless\u003c/code\u003e to identify potential browser manipulation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from browser processes for unexpected destinations, as described in the investigation guide from the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-browser-unusual-parent/","summary":"Attackers may attempt credential theft by launching browsers (Chrome, Edge) with remote debugging, headless automation, or minimal arguments from an unusual parent process on Windows systems.","title":"Browser Process Spawned from an Unusual Parent","url":"https://feed.craftedsignal.io/briefs/2024-01-browser-unusual-parent/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Backup Exec","Veeam","Microsoft Power BI Enterprise Gateway","Trend Micro"],"_cs_severities":["medium"],"_cs_tags":["impact","backup deletion","ransomware"],"_cs_type":"advisory","_cs_vendors":["Elastic","Veritas","Veeam","Trend Micro","Microsoft"],"content_html":"\u003cp\u003eThis rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro\u0026rsquo;s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the target Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify backup file locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a non-backup related process (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to delete backup files.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veeam backup files with extensions \u003ccode\u003eVBK\u003c/code\u003e, \u003ccode\u003eVIB\u003c/code\u003e, and \u003ccode\u003eVBM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veritas Backup Exec files with the \u003ccode\u003eBKF\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe deletion events are logged by the endpoint detection system.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.\u003c/li\u003e\n\u003cli\u003eSuccessful deletion of backups impairs the victim\u0026rsquo;s ability to recover from ransomware or other destructive attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of backup files can severely impact an organization\u0026rsquo;s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker\u0026rsquo;s leverage and potential financial gain. The rule\u0026rsquo;s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veeam Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veritas Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.\u003c/li\u003e\n\u003cli\u003eEnable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-03-backup-deletion/","summary":"This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.","title":"Third-party Backup Files Deleted via Unexpected Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-backup-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Windows"],"_cs_severities":["low"],"_cs_tags":["discovery","account-discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eAttackers often perform reconnaissance activities within a compromised environment to understand the available resources and potential targets. This reconnaissance helps them plan subsequent actions, such as privilege escalation and lateral movement. This activity involves using built-in Windows utilities like \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e to enumerate administrator-related user accounts and groups. This information can reveal potential targets for credential compromise or other post-exploitation activities. Lower privileged accounts commonly perform this enumeration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e with arguments to list users and groups.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output for administrator-related keywords like \u0026ldquo;admin\u0026rdquo;, \u0026ldquo;Domain Admins\u0026rdquo;, \u0026ldquo;Enterprise Admins\u0026rdquo;, \u0026ldquo;Remote Desktop Users\u0026rdquo;, or \u0026ldquo;Organization Management\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e to query user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from \u003ccode\u003ewmic.exe\u003c/code\u003e to identify administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged accounts to target for credential theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the identified accounts to perform lateral movement or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of administrator accounts allows an attacker to identify high-value targets within the environment. This can lead to credential theft, privilege escalation, lateral movement, and ultimately, unauthorized access to sensitive data or systems. While the risk score is low, this activity serves as a precursor to more serious compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e commands with arguments related to user and group enumeration using the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of lower-privileged accounts executing these commands and filter out authorized administrative accounts performing the same actions.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture the necessary events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:14:00Z","date_published":"2024-01-03T17:14:00Z","id":"/briefs/2024-01-admin-recon/","summary":"Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.","title":"Windows Account Discovery of Administrator Accounts","url":"https://feed.craftedsignal.io/briefs/2024-01-admin-recon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","mimikatz","memssp","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the creation of the \u003ccode\u003emimilsa.log\u003c/code\u003e file, a default log generated by the Mimikatz \u003ccode\u003emisc::memssp\u003c/code\u003e module. The \u003ccode\u003emisc::memssp\u003c/code\u003e module injects a malicious Security Support Provider (SSP) into the Local Security Authority Subsystem Service (LSASS) process. This injected SSP logs credentials from subsequent logons to the compromised host, allowing attackers to capture sensitive information. The creation of this log file is a strong indicator of credential access attempts and the potential compromise of user accounts and system security. This rule is designed for data generated by Elastic Defend and also supports data from CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Mimikatz or a similar tool with the \u003ccode\u003emisc::memssp\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMimikatz injects a malicious SSP library (e.g., \u003ccode\u003emimilib.dll\u003c/code\u003e) into the LSASS process (\u003ccode\u003elsass.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected SSP hooks into the authentication process.\u003c/li\u003e\n\u003cli\u003eWhen users log on to the system, the SSP captures their credentials.\u003c/li\u003e\n\u003cli\u003eThe captured credentials are written to the \u003ccode\u003emimilsa.log\u003c/code\u003e file, typically located in \u003ccode\u003eC:\\Windows\\System32\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003emimilsa.log\u003c/code\u003e file to obtain the captured credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to escalate privileges, move laterally within the network, and access sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Mimikatz MemSSP attack can lead to the compromise of user accounts, including those with administrative privileges. This allows attackers to gain unauthorized access to sensitive data, systems, and resources within the organization. Lateral movement becomes easier, potentially impacting a large number of systems. The compromised credentials can also be used for external attacks, such as gaining access to cloud services or other external resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMimikatz Memssp Log File Detected\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging to detect the creation of \u003ccode\u003emimilsa.log\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process that created the log file and any subsequent file access.\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of \u003ccode\u003emimilib.dll\u003c/code\u003e and any LSA Security Packages registry modifications, as these may indicate persistent SSP installation.\u003c/li\u003e\n\u003cli\u003eReview and restrict interactive logons to high-value hosts to minimize the potential for credential theft.\u003c/li\u003e\n\u003cli\u003eInvestigate related alerts for the same \u003ccode\u003ehost.id\u003c/code\u003e in the last 48 hours covering delivery, privilege escalation, LSASS access, persistence, lateral movement, or additional credential access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-mimikatz-memssp-log/","summary":"This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.","title":"Mimikatz MemSSP Log File Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-mimikatz-memssp-log/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","scripting-interpreter","base64","command-line"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule identifies the execution of scripting interpreters (Python, PowerShell, Node.js, and Deno) with unusually long command lines containing base64 encoded payloads. The rule focuses on scenarios where the initial \u003ccode\u003eprocess.command_line\u003c/code\u003e field is ignored due to its excessive length, but the complete command line is still available in \u003ccode\u003eprocess.command_line.text\u003c/code\u003e. Attackers leverage this technique to evade traditional command-line inspection and execute malicious content across Windows, macOS, and Linux systems. This approach allows attackers to embed and execute code without writing it to disk, making it harder to detect. The rule is designed to detect this behavior, allowing for closer inspection of the executed commands and their intent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell, Python, Node.js, or Deno to execute commands.\u003c/li\u003e\n\u003cli\u003eA long, base64-encoded string is crafted, designed to evade detection.\u003c/li\u003e\n\u003cli\u003eThe interpreter is invoked with the encoded string passed as an argument, exceeding typical command-line limits.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprocess.command_line\u003c/code\u003e field is truncated due to its length, but the full command line is available in \u003ccode\u003eprocess.command_line.text\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe interpreter decodes and executes the payload from the \u003ccode\u003eprocess.command_line.text\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe decoded payload performs malicious actions such as downloading malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining control of the system or stealing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a wide range of malicious activities, including malware installation, data theft, privilege escalation, and system compromise. Due to the defense evasion capabilities, it is difficult to identify and prevent. The impact includes potential data breaches, financial losses, and reputational damage. The rule\u0026rsquo;s detection helps defenders identify this attack vector and prevent further exploitation of affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Long Base64 Encoded Command via Scripting Interpreter\u003c/code\u003e to your SIEM to detect this behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the \u003ccode\u003eprocess.command_line.text\u003c/code\u003e field to understand the full command being executed.\u003c/li\u003e\n\u003cli\u003eReview parent processes and execution chains of the interpreter to understand the initial attack vector.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the execution of scripting interpreters from untrusted sources.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for command lines exceeding a certain length threshold.\u003c/li\u003e\n\u003cli\u003eImprove logging coverage to capture the full command line even when it exceeds standard limits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-03-long-base64-interpreter-cmdline/","summary":"Detection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.","title":"Long Base64 Encoded Command via Scripting Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-03-long-base64-interpreter-cmdline/"}],"language":"en","next_url":"/vendors/elastic/page/2/feed.json","title":"CraftedSignal Threat Feed — Elastic","version":"https://jsonfeed.org/version/1.1"}