{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/eset/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Filtering Platform","elastic-agent","elastic-endpoint"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-filtering-platform","endpoint-security"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Bitdefender","VMware Carbon Black","Comodo","Vectra AI","Cybereason","Cylance","Elastic","ESET","Broadcom","Fortinet","Kaspersky","Malwarebytes","McAfee","Qualys","SentinelOne","Sophos","Symantec","Trend Micro","BeyondTrust","CrowdStrike","Splunk","Tanium"],"content_html":"\u003cp\u003eThe Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., leveraging the \u003ccode\u003enetsh\u003c/code\u003e command or custom WFP API calls) to create a new WFP filter.\u003c/li\u003e\n\u003cli\u003eThe WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., \u003ccode\u003eelastic-agent.exe\u003c/code\u003e, \u003ccode\u003esysmon.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system begins blocking network communication from the targeted security software.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker\u0026rsquo;s scope and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit WFP rules to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for systems authorized to modify WFP rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-wfp-evasion/","summary":"Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.","title":"Potential Evasion via Windows Filtering Platform Blocking Security Software","url":"https://feed.craftedsignal.io/briefs/2026-05-wfp-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Veeam Backup","PDQ Deploy","Pella Order Management","eset-remote-install-service"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Veeam","Admin Arsenal","Pella Corporation","ESET"],"content_html":"\u003cp\u003eThis detection rule identifies a potential lateral movement technique where an attacker establishes a network logon to a Windows system and subsequently installs a service using the same LogonId. This behavior is flagged as suspicious because it deviates from typical administrative practices and can indicate unauthorized access and persistence within the network. The rule is designed to filter out common legitimate services and administrative activities, focusing on anomalies that could signify malicious intent. This detection is crucial for defenders as it can uncover attackers attempting to move laterally and establish persistent access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker performs network reconnaissance to identify target systems for lateral movement.\u003c/li\u003e\n\u003cli\u003eUsing valid credentials or pass-the-hash techniques, the attacker authenticates to a remote Windows host over the network (e.g., SMB).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to install a new service on the remote host, potentially using tools like \u003ccode\u003esc.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe service installation event is logged with a specific LogonId that matches the earlier network logon event, indicating a relationship between the two activities.\u003c/li\u003e\n\u003cli\u003eThe newly installed service is configured to execute a malicious payload or establish a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the service to execute commands or deploy further malicious tools on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and lateral movement within the network, enabling further compromise and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to widespread compromise of systems within a network. Attackers can use the newly installed service to execute arbitrary code, install malware, or move laterally to other systems. This can result in data theft, system disruption, or ransomware deployment. The impact can be significant, potentially affecting numerous systems and causing substantial financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logs with necessary auditing policies, specifically Audit Logon and Audit Security System Extension, to capture relevant logon and service installation events.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious remote service installations based on matching LogonIds from network logons.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on unusual service file paths and user accounts.\u003c/li\u003e\n\u003cli\u003eReview the list of excluded service file paths in the Sigma rules and customize them based on your environment\u0026rsquo;s known legitimate services.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for suspicious SMB activity, particularly connections originating from unusual or untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to reduce the risk of credential theft and unauthorized network access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-service-install/","summary":"This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.","title":"Detecting Remote Windows Service Installation for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SCCM"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Pella Corporation","AdminArsenal","ESET","Veeam"],"content_html":"\u003cp\u003eThis detection rule identifies the remote execution of Windows services over Remote Procedure Call (RPC), a technique often employed for lateral movement within a network. The rule focuses on correlating network connections initiated by \u003ccode\u003eservices.exe\u003c/code\u003e with subsequent child process creation events. While this activity can be a legitimate function of administrators using remote management tools, it also represents a potential attack vector. The rule aims to strike a balance between detecting malicious activity and minimizing false positives arising from routine administrative tasks. The detection logic is based on identifying network connections to \u003ccode\u003eservices.exe\u003c/code\u003e followed by the creation of child processes that are not commonly associated with legitimate service management. The rule requires the use of Elastic Defend or Sysmon for adequate logging coverage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the target system\u0026rsquo;s \u003ccode\u003eservices.exe\u003c/code\u003e process over RPC using a high port (\u0026gt;= 49152).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established RPC connection to create or start a new service on the remote system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservices.exe\u003c/code\u003e process on the remote system spawns a child process related to the newly created or started service.\u003c/li\u003e\n\u003cli\u003eThis new process executes the attacker\u0026rsquo;s payload, potentially granting further access or executing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly executed service for persistent access or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.\u003c/li\u003e\n\u003cli\u003eConsider excluding known remote management tools from triggering the detection by adding exceptions based on \u003ccode\u003eprocess.executable\u003c/code\u003e or \u003ccode\u003eprocess.args\u003c/code\u003e in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eMonitor the network for unusual RPC activity, especially connections to \u003ccode\u003eservices.exe\u003c/code\u003e from unexpected source IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-remote-service-execution/","summary":"Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.","title":"Remote Execution of Windows Services via RPC","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — ESET","version":"https://jsonfeed.org/version/1.1"}