{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/google/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2025-62157"}],"_cs_exploited":false,"_cs_products":["argo-workflows"],"_cs_severities":["high"],"_cs_tags":["argo-workflows","credential-access","kubernetes"],"_cs_type":"advisory","_cs_vendors":["Argoproj","Google","Microsoft"],"content_html":"\u003cp\u003eArgo Workflows, a Kubernetes-native workflow engine, is vulnerable to credential exposure. Specifically, versions 4.0.0 through 4.0.4 inadvertently log artifact repository credentials in plaintext during artifact operations. This includes sensitive data like S3 Access Keys, Secret Keys, Session Tokens, Server-Side Customer Keys, OSS Access Keys, Secret Keys, Security Tokens, and GCS Service Account Keys. The vulnerability stems from the logging driver passing the entire ArtifactDriver struct to the structured logger. Any user with read access to workflow pod logs can extract these credentials, creating a significant security risk. This is an incomplete fix of CVE-2025-62157.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains read access to Kubernetes pod logs within the Argo Workflows namespace. This could be achieved through compromised credentials, misconfigured RBAC policies, or other Kubernetes vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a workflow that utilizes artifact storage, such as S3 or GCS.\u003c/li\u003e\n\u003cli\u003eThe workflow executes an artifact operation (upload or download).\u003c/li\u003e\n\u003cli\u003eArgo Workflows logs the entire ArtifactDriver struct, including the plaintext credentials, into the pod logs.\u003c/li\u003e\n\u003cli\u003eThe attacker queries the pod logs using \u003ccode\u003ekubectl\u003c/code\u003e or other Kubernetes tooling. For example: \u003ccode\u003ekubectl -n argo logs \u0026quot;cred-leak-test\u0026quot; -c wait\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the plaintext credentials (e.g., S3 Access Key and Secret Key) from the log output.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to access the artifact repository (e.g., S3 bucket) and potentially steal data or perform other unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized access to artifact repositories used by Argo Workflows. This can lead to data breaches, as sensitive data stored in S3 buckets, GCS buckets, or other storage solutions can be exposed. The impact is especially severe if the compromised credentials have broad permissions or if the artifact repository contains highly sensitive data. This affects Argo Workflows versions 4.0.0, 4.0.1, 4.0.2, 4.0.3, and 4.0.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Argo Workflows to version 4.0.5 or later to remediate the vulnerability (CVE-2026-42295).\u003c/li\u003e\n\u003cli\u003eReview and restrict Kubernetes RBAC permissions to limit access to pod logs, following the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement log monitoring and alerting for unusual access patterns to Kubernetes pod logs.\u003c/li\u003e\n\u003cli\u003eRotate any potentially exposed artifact repository credentials (S3 access keys, GCS service account keys, etc.) if Argo Workflows versions 4.0.0-4.0.4 were in use.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T20:12:01Z","date_published":"2026-05-04T20:12:01Z","id":"/briefs/2024-01-09-argo-cred-leak/","summary":"Argo Workflows versions 4.0.0 to 4.0.4 log artifact repository credentials in plaintext, allowing users with read access to pod logs to extract sensitive information such as S3 access keys and GCS service account keys.","title":"Argo Workflows Credentials Exposed in Pod Logs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-argo-cred-leak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Amazon Web Services"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","getcalleridentity","ec2","discovery"],"_cs_type":"advisory","_cs_vendors":["Amazon","Google","MongoDB, Inc."],"content_html":"\u003cp\u003eThis detection identifies when an EC2 instance role session calls the AWS STS GetCallerIdentity API from a source Autonomous System (AS) Organization name that has not been previously observed. The GetCallerIdentity API is often used by adversaries to validate stolen instance role credentials from infrastructure outside the victim\u0026rsquo;s normal egress points. By baselining the combination of identity and source network, the rule reduces noise associated with stable NAT or AWS-classified egress, focusing on truly novel access patterns. This detection is specifically designed to complement other rules that may detect general GetCallerIdentity calls, by excluding previously seen combinations of user identity and source AS organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an EC2 instance through methods like exploiting a Server-Side Request Forgery (SSRF) vulnerability, compromising application code or exploiting IMDS abuse.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the instance\u0026rsquo;s IAM role to obtain temporary AWS credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to validate the stolen credentials using the \u003ccode\u003eGetCallerIdentity\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eGetCallerIdentity\u003c/code\u003e API call originates from an IP address associated with a new and unexpected Autonomous System Organization (ASO).\u003c/li\u003e\n\u003cli\u003eThe AWS CloudTrail logs record the \u003ccode\u003eGetCallerIdentity\u003c/code\u003e event, including the user identity ARN and the source AS organization name.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers due to the new combination of user identity and source AS organization.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the validated credentials to perform reconnaissance and identify valuable resources within the AWS environment (e.g., S3 buckets, databases).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exfiltrate sensitive data or deploy malicious workloads using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data stored within the AWS environment. The attacker may be able to escalate privileges, compromise other resources, and disrupt services. The potential impact includes data breaches, financial loss, and reputational damage. The lack of specific victim counts or sectors targeted suggests a broad applicability across various AWS users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS EC2 Role GetCallerIdentity from New Source AS Organization\u0026rdquo; to your SIEM to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.as.organization.name\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eGetCallerIdentity\u003c/code\u003e API calls, particularly those originating from unfamiliar source IP addresses and ASNs.\u003c/li\u003e\n\u003cli\u003eRevoke compromised IAM role sessions by stopping the affected EC2 instances or removing the role from the instance profile.\u003c/li\u003e\n\u003cli\u003eRotate any long-lived secrets accessible by the EC2 instance, based on the \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:57:28Z","date_published":"2026-05-01T20:57:28Z","id":"/briefs/2024-01-02-aws-ec2-role-getcalleridentity/","summary":"The rule detects when an EC2 instance role session calls AWS STS GetCallerIdentity from a new source autonomous system (AS) organization name, indicating potential credential theft and verification from outside expected egress paths.","title":"AWS EC2 Role GetCallerIdentity from New Source AS Organization","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-ec2-role-getcalleridentity/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7359"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["high"],"_cs_tags":["use-after-free","chromium","edge","chrome","cve-2026-7359"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7359 describes a use-after-free vulnerability present in ANGLE (Almost Native Graphics Layer Engine), a crucial component of the Chromium open-source project. This vulnerability impacts applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the provided source does not give specific exploitation details, use-after-free vulnerabilities can allow for arbitrary code execution. Google Chrome has already addressed this vulnerability, and Microsoft Edge has incorporated the fix from Chromium. This vulnerability matters to defenders because successful exploitation could lead to compromise of the browser and potentially the underlying system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page containing JavaScript code that leverages a flaw in ANGLE\u0026rsquo;s memory management.\u003c/li\u003e\n\u003cli\u003eA user visits the malicious web page through Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code triggers the use-after-free vulnerability by freeing a memory object in ANGLE and then attempting to access it again.\u003c/li\u003e\n\u003cli\u003eThis memory corruption leads to a controlled crash or allows the attacker to overwrite memory with arbitrary data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory overwrite to inject malicious code into the browser process.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the browser, granting the attacker access to user data, cookies, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use this access to perform actions on behalf of the user, such as stealing credentials, installing malware, or spreading the attack to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the user\u0026rsquo;s system, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit of CVE-2026-7359 could allow an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, data theft, and potentially full system compromise. The scope of impact is broad, affecting any user who visits a malicious webpage while using a vulnerable version of Chrome or Edge. Since Chrome and Edge are widely used, this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WebGL Usage\u003c/code\u003e to identify potential exploitation attempts targeting ANGLE via WebGL.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests (cs-uri-query) that may be related to the exploitation of CVE-2026-7359.\u003c/li\u003e\n\u003cli\u003eEnsure that all Chrome and Edge installations are updated to the latest versions to patch CVE-2026-7359.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:40Z","date_published":"2026-05-01T02:21:40Z","id":"/briefs/2026-05-chromium-use-after-free/","summary":"A use-after-free vulnerability in the ANGLE graphics engine within Chromium (CVE-2026-7359) allows for potential exploitation in Google Chrome and Microsoft Edge.","title":"Chromium Use-After-Free Vulnerability in ANGLE (CVE-2026-7359)","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7339"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["webrtc","heap-overflow","code-execution","cve-2026-7339"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7339 is a critical heap buffer overflow vulnerability affecting the WebRTC (Web Real-Time Communication) component in Google Chrome and Microsoft Edge (Chromium-based). This vulnerability stems from improper memory management within WebRTC, potentially allowing a remote attacker to execute arbitrary code by crafting malicious web content. As Microsoft Edge ingests Chromium, it is also vulnerable. Users of Chrome and Edge are affected. Defenders should apply available patches promptly to mitigate potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious website designed to trigger the WebRTC vulnerability.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious website using a vulnerable version of Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe website uses JavaScript to initiate a WebRTC session.\u003c/li\u003e\n\u003cli\u003eThe crafted WebRTC data triggers a heap buffer overflow during memory allocation within the WebRTC component.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent memory regions on the heap.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow data to overwrite critical program data or function pointers.\u003c/li\u003e\n\u003cli\u003eThe corrupted data leads to arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the user\u0026rsquo;s browser and potentially the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7339 can lead to arbitrary code execution, allowing an attacker to potentially install malware, steal sensitive information, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability could impact a large number of users across various sectors, including individuals, businesses, and government organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge (Chromium-based) to patch CVE-2026-7339.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WebRTC Heap Overflow Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-7339.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests or patterns associated with WebRTC usage that could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2026-05-chromium-webrtc-overflow/","summary":"A heap buffer overflow vulnerability exists in the WebRTC component of Google Chrome and Microsoft Edge (Chromium-based), potentially leading to code execution.","title":"CVE-2026-7339: Heap Buffer Overflow in WebRTC","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-webrtc-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7355"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["high"],"_cs_tags":["use-after-free","chromium","cve-2026-7355","browser"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7355 is a critical use-after-free vulnerability residing in the Media component of the Chromium browser engine. This vulnerability affects Google Chrome and Microsoft Edge, as Edge incorporates Chromium. A use-after-free vulnerability occurs when an application attempts to use memory after it has been freed, which can lead to crashes, arbitrary code execution, or other unexpected behavior. Successful exploitation could allow an attacker to execute arbitrary code within the context of the browser. This vulnerability was reported and patched by the Chromium project.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious webpage containing specially crafted media content.\u003c/li\u003e\n\u003cli\u003eA user opens the malicious webpage in a vulnerable version of Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe browser attempts to process the malicious media content, triggering the use-after-free vulnerability in the Media component.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code attempts to access a freed memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the memory region due to the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the controlled memory region.\u003c/li\u003e\n\u003cli\u003eThe browser executes the attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the browser process, potentially leading to system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7355 can lead to arbitrary code execution within the context of the browser process. An attacker could potentially gain control of the user\u0026rsquo;s system, steal sensitive information, or install malware. Given the widespread use of Chrome and Edge, a successful exploit could impact a large number of users across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7355.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chromium Use-After-Free in Media Component\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture events related to potential exploitation attempts, facilitating detection rule functionality.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2026-05-chromium-uaf/","summary":"CVE-2026-7355 is a use-after-free vulnerability in the Media component of Chromium, affecting Google Chrome and Microsoft Edge, potentially allowing for arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in Media Component (CVE-2026-7355)","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-uaf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7357"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","chromium","edge","chrome"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7357 is a critical use-after-free vulnerability residing within the GPU component of the Chromium rendering engine. This flaw directly impacts Google Chrome and, due to Microsoft Edge\u0026rsquo;s reliance on Chromium, also affects Edge users. A remote attacker could potentially exploit this vulnerability to execute arbitrary code on a targeted system. The vulnerability stems from improper memory management within the GPU processing routines. While the specific exploitation details are not provided in this brief, successful exploitation generally involves crafting malicious web content to trigger the vulnerability during GPU operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing JavaScript that triggers specific GPU functions.\u003c/li\u003e\n\u003cli\u003eUser visits the malicious website using Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s rendering engine processes the malicious JavaScript, leading to the allocation and subsequent freeing of a memory region in the GPU component.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code then attempts to access the previously freed memory region, triggering the use-after-free vulnerability.\u003c/li\u003e\n\u003cli\u003eBy manipulating the memory layout, the attacker can overwrite the freed memory with controlled data.\u003c/li\u003e\n\u003cli\u003eThe overwritten memory is later accessed by the GPU, leading to the execution of attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to escalate privileges or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7357 can lead to arbitrary code execution on the victim\u0026rsquo;s machine. The attacker could potentially install malware, steal sensitive data, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability poses a significant risk to a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome to address CVE-2026-7357.\u003c/li\u003e\n\u003cli\u003eApply the latest security updates for Microsoft Edge to address CVE-2026-7357.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WebAssembly Execution\u0026rdquo; to identify potential exploitation attempts involving WebAssembly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chromium-use-after-free/","summary":"CVE-2026-7357 is a use-after-free vulnerability in the GPU component of Chromium that also affects Microsoft Edge, potentially leading to arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7357)","url":"https://feed.craftedsignal.io/briefs/2024-01-chromium-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-7333"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","chromium","gpu","cve-2026-7333","remote code execution"],"_cs_type":"threat","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7333 is a critical use-after-free vulnerability residing in the GPU component of the Chromium browser engine. This flaw allows an attacker to potentially corrupt memory and execute arbitrary code in the context of the browser process. As Microsoft Edge is built upon the Chromium engine, it is also susceptible to this vulnerability. Public details are limited, but exploitation likely involves crafting malicious web content that triggers the use-after-free condition within the GPU processing routines. This vulnerability poses a significant threat as it could allow attackers to compromise user systems simply by visiting a malicious website.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing JavaScript that interacts with the GPU functionality of the browser.\u003c/li\u003e\n\u003cli\u003eThe user visits the malicious page via a phishing email or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code triggers the use-after-free vulnerability in the Chromium GPU component.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to corrupt memory allocated for GPU processing.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates memory to gain control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the browser process.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the browser process, allowing the attacker to perform actions such as stealing cookies, credentials, or installing malware.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the compromised system and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-7333 could allow an attacker to execute arbitrary code on a user\u0026rsquo;s system. This could lead to the theft of sensitive information, installation of malware, or complete system compromise. Given the widespread use of Chromium-based browsers such as Chrome and Edge, this vulnerability has the potential to affect millions of users. The impact is considered critical due to the ease of exploitation and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7333.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious GPU Process Creation\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to detect suspicious processes spawned by the browser (logsource: process_creation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-03-chromium-use-after-free/","summary":"CVE-2026-7333 is a use-after-free vulnerability in the GPU component of Chromium, affecting Google Chrome and Microsoft Edge, potentially leading to arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7333)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chromium-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7348"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","vulnerability","browser"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7348 is a critical use-after-free vulnerability residing within the Codecs component of the Chromium browser engine. This vulnerability affects applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the specific details of the vulnerability are documented in Google Chrome Releases, the underlying issue stems from improper memory management within the Codecs library. Successful exploitation could allow an attacker to execute arbitrary code within the context of the affected browser, potentially leading to data theft, system compromise, or other malicious activities. This vulnerability requires immediate attention from organizations utilizing Chrome or Edge.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page containing specially crafted media content designed to trigger the use-after-free condition in the Codecs library.\u003c/li\u003e\n\u003cli\u003eThe user visits the malicious web page using Google Chrome or Microsoft Edge.\u003c/li\u003e\n\u003cli\u003eThe browser attempts to process the malicious media content, triggering the vulnerable code path within the Codecs library.\u003c/li\u003e\n\u003cli\u003eThe use-after-free condition is triggered when the browser attempts to access memory that has already been freed.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the use-after-free condition to corrupt memory and gain control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary code within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data, such as cookies, credentials, or browsing history.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially escalates privileges or installs malware on the user\u0026rsquo;s system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7348 allows an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, such as credentials or browsing history. The attacker could potentially gain full control of the user\u0026rsquo;s system. Given the widespread use of Chromium-based browsers, a successful exploit could impact a significant number of users across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to the latest version that addresses this vulnerability; refer to \u003ca href=\"https://chromereleases.googleblog.com/2025\"\u003eGoogle Chrome Releases\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure Microsoft Edge is updated to the latest version incorporating the Chromium security patch.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chromium Codecs Use-After-Free Exploit Attempt\u0026rdquo; to identify potential exploitation attempts via webserver logs.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP requests, which is required for the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chromium-cve-2026-7348/","summary":"CVE-2026-7348 is a use-after-free vulnerability in the Codecs component of Chromium, affecting Google Chrome and Microsoft Edge.","title":"Chromium Use-After-Free Vulnerability in Codecs (CVE-2026-7348)","url":"https://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7348/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7349"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["high"],"_cs_tags":["use-after-free","browser","chromium"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7349 is a use-after-free vulnerability found in the Cast component of the Chromium browser engine. This vulnerability affects Google Chrome and, by extension, Microsoft Edge, as Edge is built upon Chromium. Use-after-free vulnerabilities can allow an attacker to execute arbitrary code or cause a denial-of-service. While the original report comes from Chrome, the nature of Chromium\u0026rsquo;s shared codebase means that other Chromium-based browsers are also vulnerable. Successful exploitation of this vulnerability could lead to code execution within the context of the browser process. Defenders need to prioritize patching and monitoring for unusual browser behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious webpage designed to trigger the use-after-free vulnerability in the Cast component.\u003c/li\u003e\n\u003cli\u003eThe user visits the malicious webpage using a vulnerable version of Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe Cast component attempts to access a freed memory location.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the use-after-free condition to corrupt memory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a function pointer or other critical data structure in memory.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the corrupted function pointer or data structure.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially escalate privileges or perform other malicious activities, such as installing malware or stealing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7349 could allow an attacker to execute arbitrary code within the context of the browser, potentially leading to data theft, malware installation, or further system compromise. Given the widespread use of Chrome and Edge, this vulnerability has a significant impact. The specific number of potential victims is dependent on the speed of patching, but could potentially affect millions of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7349.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor browser process execution for unexpected code loading or memory access patterns using process creation logs.\u003c/li\u003e\n\u003cli\u003eImplement memory protection techniques such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chrome-cve-2026-7349/","summary":"CVE-2026-7349 is a use-after-free vulnerability in the Cast component of Chromium, affecting Google Chrome and Microsoft Edge.","title":"Chromium Use-After-Free Vulnerability in Cast (CVE-2026-7349)","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-cve-2026-7349/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7338"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","chrome","edge","cve-2026-7338","remote code execution"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7338 is a critical use-after-free vulnerability residing within the Cast component of the Chromium browser engine. Google Chrome and Microsoft Edge (Chromium-based) are both affected by this flaw. While the provided source does not specify the exact vulnerable versions, it indicates that Microsoft Edge ingests Chromium, and thus is affected by vulnerabilities addressed in Chromium releases. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the user running the browser. This poses a significant risk, as attackers could potentially gain control of the user\u0026rsquo;s system. Defenders should prioritize patching affected browsers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious webpage or injects malicious code into a legitimate website that utilizes the Cast functionality.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious website or interacts with the compromised legitimate website using an affected browser (Chrome or Edge).\u003c/li\u003e\n\u003cli\u003eThe malicious webpage triggers the use-after-free vulnerability in the Cast component.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to access memory that has already been freed.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the freed memory with attacker-controlled data.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the memory layout to redirect program execution.\u003c/li\u003e\n\u003cli\u003eThe browser attempts to execute code from the attacker-controlled memory location.\u003c/li\u003e\n\u003cli\u003eThis results in arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7338 allows an attacker to execute arbitrary code on a victim\u0026rsquo;s machine. This can lead to complete system compromise, data theft, installation of malware, or other malicious activities. Given the widespread use of Chromium-based browsers like Chrome and Edge, this vulnerability has the potential to impact a large number of users across various sectors. The severity is critical due to the potential for remote code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome to address CVE-2026-7338 as detailed in Google Chrome Releases.\u003c/li\u003e\n\u003cli\u003eApply the latest security updates for Microsoft Edge (Chromium-based) to address CVE-2026-7338, ensuring the ingested Chromium version contains the fix.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the Cast component.\u003c/li\u003e\n\u003cli\u003eEnable enhanced browser security features, such as sandboxing and site isolation, to limit the impact of potential exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chromium-cve-2026-7338/","summary":"CVE-2026-7338 is a use-after-free vulnerability in the Cast component of Chromium, affecting Google Chrome and Microsoft Edge, potentially leading to arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in Cast (CVE-2026-7338)","url":"https://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7338/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-7353"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["heap overflow","chromium","cve-2026-7353"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7353 is a critical heap buffer overflow vulnerability residing within the Skia graphics library, a core component of the Chromium open-source project. This vulnerability impacts applications that utilize Chromium, including Google Chrome and Microsoft Edge. While the specific details of exploitation are not provided in this brief, the nature of a heap buffer overflow suggests a high potential for arbitrary code execution. Successful exploitation could allow an attacker to gain control of the affected browser process. Given the widespread use of Chromium-based browsers, this vulnerability poses a significant risk to a large user base. Defenders should prioritize patching and consider implementing mitigations to detect and prevent potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page or injects malicious content into a trusted website.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious web page or interacts with the injected content using a Chromium-based browser (Chrome or Edge).\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s rendering engine, utilizing the Skia library, processes the malicious content, triggering the heap buffer overflow in Skia.\u003c/li\u003e\n\u003cli\u003eThe overflow allows the attacker to overwrite adjacent memory regions in the heap.\u003c/li\u003e\n\u003cli\u003eBy carefully crafting the overflowed data, the attacker can overwrite critical data structures within the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the execution flow by overwriting function pointers or other control data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker could then perform actions such as installing malware, stealing sensitive data, or further compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7353 allows for arbitrary code execution within the context of the affected browser process. This can lead to a complete compromise of the user\u0026rsquo;s browser session, potentially enabling the attacker to steal credentials, inject malicious code into other websites, or install malware on the victim\u0026rsquo;s system. Given the widespread use of Chrome and Edge, the potential impact is significant, affecting potentially millions of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7353.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential exploitation attempts based on suspicious process execution originating from the browser (see \u0026ldquo;Detect Suspicious Process Creation from Browser\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable enhanced browser security features such as site isolation to mitigate the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2026-05-chromium-heap-overflow/","summary":"CVE-2026-7353 is a heap buffer overflow vulnerability in the Skia graphics library used by Chromium, affecting both Google Chrome and Microsoft Edge.","title":"Chromium Heap Buffer Overflow Vulnerability (CVE-2026-7353)","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-6296"},{"cvss":8.3,"id":"CVE-2026-6297"},{"cvss":4.3,"id":"CVE-2026-6298"},{"cvss":8.8,"id":"CVE-2026-6299"},{"cvss":8.8,"id":"CVE-2026-6300"}],"_cs_exploited":false,"_cs_products":["Chrome"],"_cs_severities":["high"],"_cs_tags":["chrome","vulnerability","code-execution","defense-evasion","information-disclosure","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eMultiple unspecified vulnerabilities have been identified in Google Chrome. An attacker exploiting these vulnerabilities could potentially execute arbitrary code, circumvent security measures, expose and manipulate sensitive information, and trigger a denial-of-service condition. The specifics of these vulnerabilities, including CVE identifiers, are not detailed in the source document. The lack of detail makes it difficult to determine the scope of the attack, but successful exploitation could lead to significant compromise of systems running Chrome. Defenders should prioritize monitoring for suspicious activity within Chrome processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable version of Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious web page or injects malicious code into a legitimate website.\u003c/li\u003e\n\u003cli\u003eA user visits the malicious web page or a compromised legitimate website using Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability in Chrome, such as a use-after-free or buffer overflow.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to execute arbitrary code within the context of the Chrome process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to bypass security mechanisms like sandboxing.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive data, such as cookies, browsing history, or credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates data or causes a denial-of-service condition by crashing the browser or consuming excessive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition. The impact ranges from data theft and credential compromise to complete system takeover, depending on the specific vulnerability and the attacker\u0026rsquo;s objectives. While the exact number of potential victims is unknown, the widespread use of Chrome makes this a high-impact threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious child processes spawned by chrome.exe, especially those involving command-line interpreters or scripting engines. Use the \u0026ldquo;Detect Suspicious Child Process of Chrome\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect network connections originating from chrome.exe for unusual destinations or protocols. Deploy the \u0026ldquo;Detect Outbound Connection from Chrome without User Interaction\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement web content filtering to block access to known malicious websites that might attempt to exploit Chrome vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:09:14Z","date_published":"2026-04-30T09:09:14Z","id":"/briefs/2026-05-chrome-vulns/","summary":"Multiple vulnerabilities in Google Chrome could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition.","title":"Multiple Vulnerabilities in Google Chrome","url":"https://feed.craftedsignal.io/briefs/2026-05-chrome-vulns/"},{"_cs_actors":["UNC6692"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Teams","Chromium"],"_cs_severities":["high"],"_cs_tags":["social-engineering","malware","cloud-abuse","credential-theft","lateral-movement"],"_cs_type":"threat","_cs_vendors":["Microsoft","Google","Amazon"],"content_html":"\u003cp\u003eUNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target\u0026rsquo;s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group\u0026rsquo;s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker floods a target\u0026rsquo;s email inbox to create a sense of urgency.\u003c/li\u003e\n\u003cli\u003eThe attacker contacts the target via Microsoft Teams, impersonating help desk personnel.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.\u003c/li\u003e\n\u003cli\u003eThe target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.\u003c/li\u003e\n\u003cli\u003eExecution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.\u003c/li\u003e\n\u003cli\u003eSNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T14:00:00Z","date_published":"2026-04-28T14:00:00Z","id":"/briefs/2026-04-unc6692-social-engineering/","summary":"UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.","title":"UNC6692 Combines Social Engineering, Malware, and Cloud Abuse","url":"https://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["googleworkspace","intrusion","initial-access","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis alert focuses on identifying potentially malicious login attempts within Google Workspace environments. The detection is based on Google\u0026rsquo;s own flagging of a login as a potential \u0026ldquo;gov_attack_warning,\u0026rdquo; suggesting that Google\u0026rsquo;s threat intelligence attributes the activity to a government-backed actor. While specific targeting information is unavailable, this alert highlights a critical area for investigation within organizations utilizing Google Workspace, especially those handling sensitive data or operating in sectors of interest to nation-state actors. This detection provides an early warning of potential compromise or data exfiltration attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker attempts to log into a Google Workspace account using compromised or brute-forced credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLogin Attempt:\u003c/strong\u003e The login attempt triggers a \u0026ldquo;gov_attack_warning\u0026rdquo; within Google Workspace, indicating a potential government-backed threat actor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Potential):\u003c/strong\u003e If the compromised account has elevated privileges, the attacker may attempt to escalate privileges within the Google Workspace environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (Potential):\u003c/strong\u003e The attacker may attempt to disable security features or modify audit logs to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Potential):\u003c/strong\u003e The attacker may establish persistent access through methods such as creating rogue apps or modifying account settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker gains access to sensitive data stored within Google Workspace, such as documents, emails, and files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Potential):\u003c/strong\u003e The attacker exfiltrates the stolen data to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The organization suffers a data breach, reputational damage, and potential financial losses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to the compromise of sensitive data within the Google Workspace environment, including confidential documents, emails, and other business-critical information. The potential consequences range from reputational damage and legal liabilities to financial losses and disruption of business operations. The number of affected users and the severity of the impact will depend on the scope of the attacker\u0026rsquo;s access and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026ldquo;gov_attack_warning\u0026rdquo; events in Google Workspace logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts promptly, focusing on the affected user account and associated activity.\u003c/li\u003e\n\u003cli\u003eReview the Google Workspace audit logs for any suspicious activity leading up to the \u0026ldquo;gov_attack_warning\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Google Workspace accounts, especially those with elevated privileges.\u003c/li\u003e\n\u003cli\u003eMonitor Google Workspace activity logs for suspicious patterns, such as unusual login locations, failed login attempts, and changes to account settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T00:48:14Z","date_published":"2026-04-28T00:48:14Z","id":"/briefs/2024-01-23-gworkspace-govattack/","summary":"A Google Workspace login attempt flagged as a potential attack by a government-backed threat actor, indicating potential privilege escalation, defense evasion, persistence, initial access, or impact.","title":"Google Workspace Login Attempt with Government Attack Warning","url":"https://feed.craftedsignal.io/briefs/2024-01-23-gworkspace-govattack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gemini CLI","run-gemini-cli GitHub Action"],"_cs_severities":["critical"],"_cs_tags":["rce","supply-chain","github-actions"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eGemini CLI (\u003ccode\u003e@google/gemini-cli\u003c/code\u003e) versions prior to 0.39.1 and version 0.40.0-preview.2, along with the \u003ccode\u003erun-gemini-cli\u003c/code\u003e GitHub Action versions prior to 0.1.22, are susceptible to remote code execution due to insecure workspace trust handling and tool allowlisting bypasses. The vulnerability arises from the automatic trust of workspace folders in headless mode, allowing malicious environment variables within the \u003ccode\u003e.gemini/\u003c/code\u003e directory to be exploited. Furthermore, in \u003ccode\u003e--yolo\u003c/code\u003e mode, the tool allowlist was previously ignored, enabling prompt injection and code execution via commands like \u003ccode\u003erun_shell_command\u003c/code\u003e. This poses a risk, especially in CI/CD environments that process untrusted inputs such as pull requests. The patched version 0.39.1 enforces explicit folder trust in headless mode and properly evaluates tool allowlists under \u003ccode\u003e--yolo\u003c/code\u003e, mitigating these risks. This impacts all Gemini CLI GitHub Actions and requires users to review their workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker submits a malicious pull request to a repository using Gemini CLI in a GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eThe workflow, running in headless mode, automatically trusts the workspace folder (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s pull request includes a crafted \u003ccode\u003e.gemini/\u003c/code\u003e directory containing malicious environment variables.\u003c/li\u003e\n\u003cli\u003eGemini CLI loads the malicious environment variables, leading to code execution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker injects a malicious prompt leveraging \u003ccode\u003erun_shell_command\u003c/code\u003e when \u003ccode\u003e--yolo\u003c/code\u003e is used.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun_shell_command\u003c/code\u003e executes arbitrary commands on the runner due to the bypassed tool allowlist (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the CI/CD runner, potentially exfiltrating secrets or injecting malicious code into the deployment pipeline.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to code execution on the CI/CD runner, data exfiltration, or supply chain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability impacts workflows utilizing Gemini CLI in headless mode, particularly those processing untrusted inputs such as pull requests from external contributors. Successful exploitation can lead to remote code execution on the CI/CD runner, potentially enabling attackers to exfiltrate sensitive information, such as API keys and credentials, or inject malicious code into the application deployment pipeline. This can lead to a supply chain compromise. All Gemini CLI GitHub Actions are affected, requiring users to review and update their workflows.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@google/gemini-cli\u003c/code\u003e to version 0.39.1 or later, or 0.40.0-preview.3 if using a preview version.\u003c/li\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eactions/google-github-actions/run-gemini-cli\u003c/code\u003e to version 0.1.22 or later.\u003c/li\u003e\n\u003cli\u003eFor workflows running on trusted inputs, set \u003ccode\u003eGEMINI_TRUST_WORKSPACE: 'true'\u003c/code\u003e in the GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eFor workflows processing untrusted inputs, review the hardening guidance in \u003ca href=\"https://github.com/google-github-actions/run-gemini-cli\"\u003egoogle-github-actions/run-gemini-cli\u003c/a\u003e and set the environment variable accordingly.\u003c/li\u003e\n\u003cli\u003eReview and harden tool allowlists in \u003ccode\u003e~/.gemini/settings.json\u003c/code\u003e to restrict the commands that can be executed, especially when using the \u003ccode\u003e--yolo\u003c/code\u003e flag.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:30:01Z","date_published":"2026-04-24T19:30:01Z","id":"/briefs/2026-04-gemini-cli-rce/","summary":"Gemini CLI is vulnerable to remote code execution via workspace trust and tool allowlisting bypasses, impacting headless mode and GitHub Actions workflows.","title":"Gemini CLI Remote Code Execution via Workspace Trust and Tool Allowlisting Bypasses","url":"https://feed.craftedsignal.io/briefs/2026-04-gemini-cli-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","GitHub Actions"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","github","credential-theft","initial-access","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon","Microsoft","Google"],"content_html":"\u003cp\u003eThis threat involves the unauthorized use of AWS credentials stolen from GitHub Actions secrets. Attackers exfiltrate these credentials and use them from their own infrastructure, bypassing the intended CI/CD environment. The activity is detected by observing AWS access keys appearing in CloudTrail logs originating from both legitimate GitHub Actions runners (identified by Microsoft ASN or the \u003ccode\u003egithub-actions\u003c/code\u003e user agent string) and suspicious infrastructure outside the expected CI/CD provider ASNs (Amazon, Google, Microsoft). This indicates a breach of GitHub repository or organization secrets, leading to potential unauthorized access and control over AWS resources. This activity can begin with compromised Github accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository or organization with AWS credentials stored as secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the AWS access key ID and secret access key, either manually or through automated means, such as modifying a GitHub Action workflow to expose the secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the stolen AWS credentials on their own infrastructure, using tools like the AWS CLI or boto3.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to AWS using the stolen credentials. This generates CloudTrail logs with the attacker\u0026rsquo;s source IP address and ASN.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eDescribeInstances\u003c/code\u003e, or \u003ccode\u003eListUsers\u003c/code\u003e, to understand the AWS environment and identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally within the AWS environment by exploiting the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker may create, modify, or delete AWS resources, such as EC2 instances, S3 buckets, or IAM roles, depending on the permissions associated with the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to unauthorized access to AWS resources, potentially resulting in data breaches, service disruptions, or financial losses. The impact depends on the permissions associated with the stolen AWS credentials. A single compromised credential could expose sensitive data, disrupt critical services, or allow attackers to deploy malicious infrastructure within the victim\u0026rsquo;s AWS environment. Identifying and responding to this threat quickly is vital to minimize damages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure\u0026rdquo; to your SIEM and tune for your environment to detect suspicious usage patterns.\u003c/li\u003e\n\u003cli\u003eRotate the compromised AWS access key in IAM immediately and update the corresponding GitHub repository/organization secret as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement OIDC-based authentication (\u003ccode\u003eaws-actions/configure-aws-credentials\u003c/code\u003e with \u003ccode\u003erole-to-assume\u003c/code\u003e) instead of long-lived access keys as mentioned in the rule documentation.\u003c/li\u003e\n\u003cli\u003eIf using OIDC, add IP condition policies to the IAM role trust policy to restrict \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e to known GitHub runner IP ranges, based on the information in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:45:55Z","date_published":"2026-04-22T17:45:55Z","id":"/briefs/2024-01-aws-github-actions-credential-theft/","summary":"Attackers are stealing AWS credentials configured as GitHub Actions secrets and using them from non-CI/CD infrastructure, indicating potential credential theft and unauthorized access to AWS resources.","title":"AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-github-actions-credential-theft/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Microsoft Teams","Google Chrome","Mozilla Firefox","Opera","Cisco WebEx","Discord","WhatsApp","Zoom","Brave Browser","Slack","thunderbird.exe"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft","Google","Mozilla","Opera","Cisco","Discord","WhatsApp","Zoom","Brave"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches a communication application (e.g., Slack, Teams, Webex).\u003c/li\u003e\n\u003cli\u003eThe communication application executes a vulnerable or compromised component.\u003c/li\u003e\n\u003cli\u003eThe compromised component spawns a child process (e.g., powershell.exe, cmd.exe).\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or script.\u003c/li\u003e\n\u003cli\u003eThe script attempts to download additional payloads from an external source.\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the system.\u003c/li\u003e\n\u003cli\u003eData exfiltration or lateral movement within the network occurs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization\u0026rsquo;s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker\u0026rsquo;s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Communication App Child Process\u003c/code\u003e to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e, product: \u003ccode\u003ewindows\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eEnsure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eExamine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-suspicious-comm-app-child-process/","summary":"The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.","title":"Suspicious Child Processes from Communication Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","initial-access","credential-access"],"_cs_type":"advisory","_cs_vendors":["Amazon","Google","Microsoft","MongoDB"],"content_html":"\u003cp\u003eThis detection identifies AWS identities that primarily use API traffic originating from well-known cloud providers (e.g., Amazon, Google, Microsoft), but also exhibit a small amount of traffic from less common Autonomous System (AS) organizations. This pattern can indicate that automation or CI credentials are being reused or pivoted outside of their usual hosted cloud environment. The detection focuses on successful API calls and looks for a combination of high volume from trusted cloud providers and at least one sensitive action originating from an uncommon network. This behavior could be indicative of credential compromise and lateral movement. This rule was published by Elastic on 2026-04-22.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to valid AWS credentials, potentially through phishing, credential stuffing, or exposed secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to make API calls from their own infrastructure, which is associated with a rare AS organization.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, such as \u003ccode\u003eGetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, or \u003ccode\u003eListSecrets\u003c/code\u003e, to understand the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges by calling \u003ccode\u003eAssumeRole\u003c/code\u003e, \u003ccode\u003eAttachUserPolicy\u003c/code\u003e, or \u003ccode\u003eCreateAccessKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access sensitive data using actions such as \u003ccode\u003eGetObject\u003c/code\u003e or \u003ccode\u003eGetSecretValue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create new users or modify existing user profiles using actions such as \u003ccode\u003eCreateUser\u003c/code\u003e, \u003ccode\u003eUpdateLoginProfile\u003c/code\u003e, or \u003ccode\u003eAddUserToGroup\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to invoke cloud ML models using \u003ccode\u003eInvokeModel\u003c/code\u003e or \u003ccode\u003eConverse\u003c/code\u003e to further their objectives.\u003c/li\u003e\n\u003cli\u003eThe attacker persists in the environment by creating new IAM users, roles, or policies, or by modifying existing ones.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data stored in S3 buckets, Secrets Manager, or other AWS services. It can also allow the attacker to escalate privileges, create new users, and modify existing configurations, leading to long-term control of the AWS environment. The severity of the impact depends on the level of access granted to the compromised credentials. This can lead to exfiltration of sensitive data, denial of service, or complete compromise of the AWS account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging in all regions and send logs to a centralized SIEM or logging platform to enable detection capabilities (\u003ca href=\"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html\"\u003ereferences\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS Rare Source AS Organization Activity\u0026rdquo; translated from the provided ESQL query to detect unusual source ASNs for AWS API calls.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the rule, focusing on the \u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003eaws.cloudtrail.user_identity.type\u003c/code\u003e, \u003ccode\u003eEsql.src_asn_values\u003c/code\u003e, and \u003ccode\u003eEsql.untrusted_suspicious_actions\u003c/code\u003e to understand the context of the activity.\u003c/li\u003e\n\u003cli\u003eRotate credentials for the affected principal if abuse is suspected and enforce OIDC or short-lived keys for automation.\u003c/li\u003e\n\u003cli\u003eTighten IAM and data-plane permissions to limit the impact of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-aws-rare-asn/","summary":"This rule detects AWS identities with API traffic dominated by cloud-provider source AS organization labels, but also exhibit traffic from other AS organizations, potentially indicating credential reuse or pivoting.","title":"AWS Identity API Access from Rare ASN Organizations","url":"https://feed.craftedsignal.io/briefs/2024-01-29-aws-rare-asn/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["initial-access","privilege-escalation","defense-evasion","persistence","gworkspace"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis brief focuses on detecting suspicious login activity within Google Workspace environments, as flagged by Google\u0026rsquo;s internal risk assessment mechanisms. Google Workspace logs login events and classifies them based on various risk factors, including the use of less secure applications, programmatic logins, and other anomalies. This detection capability is crucial for identifying potential compromises, unauthorized access attempts, and malicious activities within the Google Workspace ecosystem. Analyzing these flagged events allows security teams to proactively respond to threats before they escalate, preventing data breaches and maintaining the integrity of sensitive information. This alert focuses on logins classified as \u0026lsquo;suspicious_login_less_secure_app\u0026rsquo;, \u0026lsquo;suspicious_login\u0026rsquo;, and \u0026lsquo;suspicious_programmatic_login\u0026rsquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access using compromised credentials or brute-force techniques targeting Google Workspace accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLogin Attempt:\u003c/strong\u003e The attacker attempts to log in to a Google Workspace account using a less secure application (e.g., an older email client without modern authentication) or via programmatic login.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuspicious Activity Detection:\u003c/strong\u003e Google\u0026rsquo;s internal systems analyze the login attempt and flag it as suspicious based on various risk factors, such as unusual location, time of day, or login method.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Logging:\u003c/strong\u003e Google Workspace logs the suspicious login event, including the reason for the classification (e.g., \u0026lsquo;suspicious_login_less_secure_app\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Privilege Escalation:\u003c/strong\u003e Upon successful login, the attacker may attempt to escalate privileges within the Google Workspace environment to gain broader access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker might use techniques to evade detection, such as disabling security features or modifying audit logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new accounts, modifying existing ones, or installing malicious apps.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Malicious Activity:\u003c/strong\u003e The attacker uses the compromised account to exfiltrate sensitive data or perform other malicious activities, such as sending phishing emails.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data stored within Google Workspace, including emails, documents, and other files. This can result in data breaches, financial loss, and reputational damage. The number of affected users depends on the scope of the compromised account and the attacker\u0026rsquo;s ability to escalate privileges. Targeted sectors are broad, affecting any organization relying on Google Workspace for collaboration and data storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious login activity classified by Google Workspace (logsource: \u003ccode\u003egcp\u003c/code\u003e, service: \u003ccode\u003egoogle_workspace.login\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the login attempt and take appropriate action, such as resetting passwords or disabling compromised accounts.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all Google Workspace accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eDisable or restrict the use of less secure apps within Google Workspace to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor Google Workspace audit logs for other suspicious activities, such as unusual file access or data exfiltration attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-26-gworkspace-suspicious-login/","summary":"Detect Google Workspace login activity that Google has classified as suspicious, potentially indicating initial access, privilege escalation, defense evasion, or persistence attempts.","title":"Google Workspace Suspicious Login Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-26-gworkspace-suspicious-login/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Chrome","Brave","Opera","Discord","Slack","Microsoft 365","SharePoint"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Brave Software","Opera","Discord","Slack"],"content_html":"\u003cp\u003eAdversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. This detection focuses on identifying connections from Windows hosts to a predefined list of commonly abused web services from processes running outside of typical program installation directories, indicating a potential C2 channel leveraging legitimate services. The rule aims to detect this behavior by monitoring network connections and DNS requests originating from unusual locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved via an unknown method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eMalware is installed on the victim\u0026rsquo;s system, likely outside typical program directories.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a DNS connection to a commonly abused web service (e.g., pastebin.com, raw.githubusercontent.com) to obscure C2 traffic.\u003c/li\u003e\n\u003cli\u003eThe malware sends encrypted or encoded commands to the web service.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying the commands to the attacker\u0026rsquo;s C2 server.\u003c/li\u003e\n\u003cli\u003eThe C2 server responds with instructions, which are then relayed back to the compromised host through the same web service.\u003c/li\u003e\n\u003cli\u003eThe malware executes the received commands, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system using the web service as a hidden C2 channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to data theft, system compromise, and further propagation within the network. Since commonly used web services are utilized, the malicious activity can blend in with legitimate network traffic, making it difficult to detect. The impact can range from minor data breaches to complete network compromise, depending on the attacker\u0026rsquo;s objectives and the level of access gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Commonly Abused Web Services via DNS\u003c/code\u003e to your SIEM to identify suspicious DNS queries to known C2 web services originating from anomalous processes.\u003c/li\u003e\n\u003cli\u003eEnable DNS query logging on Windows endpoints to provide the data source required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for processes outside standard installation directories communicating with domains listed in the \u003ccode\u003equery\u003c/code\u003e section of the Sigma rule to identify potential C2 activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of compromised hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-04-c2-web-services/","summary":"This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.","title":"Detection of Command and Control Activity via Commonly Abused Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Edge","Chrome","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","windows","browser-exploitation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies instances where a browser process, specifically Google Chrome or Microsoft Edge, is initiated from an unexpected parent process on a Windows system. The rule focuses on scenarios where browsers are launched with arguments indicative of remote debugging, headless automation, or minimal user interaction. Such activity can signal an attempt to manipulate a browser session for malicious purposes, potentially leading to credential theft or unauthorized access to sensitive information. The rule is designed to leverage data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Process Creation Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or command to launch a browser process (chrome.exe or msedge.exe).\u003c/li\u003e\n\u003cli\u003eThe browser is launched with specific command-line arguments, such as \u003ccode\u003e--remote-debugging-port\u003c/code\u003e, \u003ccode\u003e--headless\u003c/code\u003e, or \u003ccode\u003e--window-position=-x,-y\u003c/code\u003e, to enable remote control or hide the browser window.\u003c/li\u003e\n\u003cli\u003eThe parent process of the browser is an unusual executable, not typically associated with launching browsers (e.g., not explorer.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the remote debugging port to interact with the browser session programmatically.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to steal credentials or session cookies from the browser.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen credentials to access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the theft of user credentials, enabling unauthorized access to sensitive data and systems. This could result in financial loss, data breaches, and reputational damage for affected organizations. The targeted use of browser manipulation techniques increases the likelihood of bypassing traditional security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eBrowser Process Spawned from Unusual Parent\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eBrowser Process Spawned from Unusual Parent\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview process command lines for arguments like \u003ccode\u003e--remote-debugging-port\u003c/code\u003e or \u003ccode\u003e--headless\u003c/code\u003e to identify potential browser manipulation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from browser processes for unexpected destinations, as described in the investigation guide from the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-browser-unusual-parent/","summary":"Attackers may attempt credential theft by launching browsers (Chrome, Edge) with remote debugging, headless automation, or minimal arguments from an unusual parent process on Windows systems.","title":"Browser Process Spawned from an Unusual Parent","url":"https://feed.craftedsignal.io/briefs/2024-01-browser-unusual-parent/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","OneDrive","Chrome","Opera","Fiddler","PowerToys","Vivaldi","Zen Browser","WaveBrowser","MicrosoftEdgeCP"],"_cs_severities":["low"],"_cs_tags":["command-and-control","webservice","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Google","BraveSoftware","Opera","Vivaldi","Wavesor Software","Discord","Telegram","Facebook","Trello","GitHub","Supabase"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malicious file executes a process outside of typical program directories (e.g., \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis process initiates a DNS query to a domain associated with a commonly abused web service (e.g., \u003ccode\u003epastebin.com\u003c/code\u003e, \u003ccode\u003egithubusercontent.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe DNS query resolves to an IP address, and a network connection is established to the web service.\u003c/li\u003e\n\u003cli\u003eThe malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Connection to Commonly Abused Web Services\u0026rdquo; to your SIEM and tune it for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the \u0026ldquo;DNS Query to Commonly Abused Web Services\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eReview and update the list of excluded processes in the Sigma rule to reflect your organization\u0026rsquo;s approved software and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-common-web-services-c2/","summary":"This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.","title":"Detection of Command and Control Activity via Common Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Firefox","Thunderbird","VMware Horizon View Client","Dropbox Client","Google Earth Pro","CrashPlan","Pale Moon","Waterfox","Cyberfox","Slack"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","anomaly","windows"],"_cs_type":"advisory","_cs_vendors":["Mozilla","VMware","Dropbox","Google","Code42","Slack"],"content_html":"\u003cp\u003eThis brief focuses on detecting anomalous loading of Mozilla NSS (Network Security Services) and Mozglue libraries (specifically \u003ccode\u003emozglue.dll\u003c/code\u003e and \u003ccode\u003enss3.dll\u003c/code\u003e) by processes other than known Mozilla applications like Firefox and Thunderbird. The technique leverages Windows Sysmon Event ID 7 (ImageLoaded) to identify such instances. This activity is flagged as suspicious because legitimate software rarely loads these libraries outside of the intended Mozilla ecosystem. Attackers may attempt to load these libraries into other processes to perform malicious actions such as code injection, data exfiltration, or credential theft, while masquerading as legitimate software. This detection is crucial for identifying potentially compromised systems and preventing further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system, possibly through phishing, exploiting a vulnerability, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence on the system, ensuring continued access even after a reboot. This may involve creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker elevates privileges to gain higher-level access to the system. This can be achieved through exploiting kernel vulnerabilities or misconfigured services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Installation:\u003c/strong\u003e The attacker deploys malware or malicious tools onto the compromised system. This may involve downloading executables or scripts from a remote server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e The attacker injects malicious code into a legitimate process. This is often done to evade detection and execute malicious commands in a trusted context. In this scenario, the injected code might leverage Mozilla NSS/Mozglue libraries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The injected code attempts to steal credentials stored on the system. This may involve accessing LSASS memory or extracting credentials from web browsers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrates sensitive data from the compromised system. This may involve compressing data and transferring it to a remote server using protocols like HTTP or FTP.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Impact:\u003c/strong\u003e Using stolen credentials or the compromised system as a pivot, the attacker moves laterally within the network to compromise additional systems, or achieves their ultimate objective, such as ransomware deployment or intellectual property theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and anomalous loading of Mozilla libraries can lead to significant damage, including data breaches, financial loss, and reputational damage. Stolen credentials can be used to access sensitive systems and data, while injected code can disrupt critical business processes. The scope can range from individual workstations to entire networks, depending on the attacker\u0026rsquo;s objectives and level of access. The detection helps prevent credential theft, data exfiltration, and lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (ImageLoaded) logging on all Windows endpoints to ensure visibility into loaded modules (reference: \u003ccode\u003edata_source\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual Mozilla NSS/Mozglue Module Load by Non-Mozilla Process\u003c/code\u003e to your SIEM and tune the process exceptions for your environment (reference: \u003ccode\u003erules\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where Mozilla NSS/Mozglue libraries are loaded by processes not explicitly allowed in the exception list to determine if malicious activity is occurring (reference: \u003ccode\u003esearch\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eCorrelate detections of unusual Mozilla library loading with other suspicious activity, such as network connections to known malicious domains or the execution of unusual processes, to identify potential compromises (reference: \u003ccode\u003etags\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and update the list of legitimate applications that may load Mozilla NSS/Mozglue libraries in your environment to reduce false positives (reference: \u003ccode\u003eknown_false_positives\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-03-unusual-mozglue-load/","summary":"Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.","title":"Unusual Process Loading Mozilla NSS/Mozglue Module","url":"https://feed.craftedsignal.io/briefs/2024-01-03-unusual-mozglue-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gcloud","azd","gh","aws","kubectl","doctl","oci"],"_cs_severities":["high"],"_cs_tags":["credential-access","cloud","cli","token-harvesting"],"_cs_type":"advisory","_cs_vendors":["Elastic","Google","Microsoft","GitHub","DigitalOcean","Oracle"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting command-line credential harvesting across multiple cloud platforms. Attackers may attempt to steal application access tokens or extract credentials from files by executing specific commands via command-line interfaces (CLIs) for GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, and Kubernetes. This activity is particularly concerning when originating from the same host within a short time frame (e.g., five minutes), potentially indicating automated credential theft. This technique can lead to unauthorized access to cloud resources, data breaches, and lateral movement within cloud environments. Defenders should monitor for suspicious command-line activity involving cloud CLIs and credential access patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a shell (cmd.exe, PowerShell, bash, etc.) to execute cloud CLI commands.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to list available credentials or tokens (e.g., \u003ccode\u003eaws configure list\u003c/code\u003e, \u003ccode\u003eaz account list\u003c/code\u003e, \u003ccode\u003ekubectl config view\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to print access tokens for various cloud providers (e.g., \u003ccode\u003egcloud auth print-access-token\u003c/code\u003e, \u003ccode\u003eaz account get-access-token\u003c/code\u003e, \u003ccode\u003egh auth token\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential harvesting commands across multiple cloud platforms within a short timeframe.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the harvested credentials to a remote location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access sensitive cloud resources and data.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive cloud resources, data breaches, and lateral movement within cloud environments. The impact includes potential data exfiltration, service disruption, and financial loss. The number of affected victims will depend on the scope of the compromised credentials and the attacker\u0026rsquo;s ability to exploit them.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Multi-Cloud CLI Token and Credential Access Commands\u0026rdquo; to your SIEM to detect suspicious command-line activity related to cloud credential harvesting.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eEsql.process_command_line_values\u003c/code\u003e in the rule output to identify the exact commands executed and determine if the activity was legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eCorrelate the detected activity with authentication, Kubernetes audit, and cloud API logs to confirm unauthorized access and misuse of printed tokens.\u003c/li\u003e\n\u003cli\u003eImplement monitoring and alerting for unusual CLI activity originating from user workstations or build servers, focusing on the CLIs mentioned in the Overview section.\u003c/li\u003e\n\u003cli\u003eFollow vendor-specific guidance to revoke compromised credentials, such as revoking tokens and rotating secrets, as outlined in the rule\u0026rsquo;s \u0026ldquo;Response and remediation\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-multi-cloud-cli-token-harvesting/","summary":"This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.","title":"Multi-Cloud CLI Token and Credential Access via Command-Line Harvesting","url":"https://feed.craftedsignal.io/briefs/2024-01-multi-cloud-cli-token-harvesting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Corretto JDK","UEM Proxy Server","UEM Core","dbeaver.exe","Docker","Chrome","Internet Explorer","PyCharm Community Edition","Firefox","VirtualBox","Puppet","nexpose","Silverfort AD Adapter","Nessus","VMware View","Advanced Port Scanner","DesktopCentral Agent","LanGuard","SAP BusinessObjects","SuperScan","ZSATunnel"],"_cs_severities":["medium"],"_cs_tags":["kerberoasting","credential-access","lateral-movement","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","SentinelOne","Amazon","BlackBerry","DBeaver","Docker","Google","Microsoft","JetBrains","Mozilla","Oracle","Puppet Labs","Rapid7","Silverfort","Tenable","VMware","GFI","SAP","Zscaler"],"content_html":"\u003cp\u003eThis detection identifies unusual processes initiating network connections to the standard Kerberos port (88) on Windows systems. Typically, the \u003ccode\u003elsass.exe\u003c/code\u003e process handles Kerberos traffic on domain-joined hosts. The rule aims to detect processes other than \u003ccode\u003elsass.exe\u003c/code\u003e communicating with the Kerberos port, which could indicate malicious activity such as Kerberoasting (T1558.003) or Pass-the-Ticket (T1550.003). The detection is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. This can help security teams identify potential credential access attempts and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a user account or system within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious binary or script (e.g., PowerShell) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to request Kerberos service tickets (TGS) for various services within the domain. This is done by connecting to the Kerberos port (88) on a domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003eRubeus\u003c/code\u003e or \u003ccode\u003eKerberoast.ps1\u003c/code\u003e to enumerate and request TGS tickets.\u003c/li\u003e\n\u003cli\u003eThe unusual process (not \u003ccode\u003elsass.exe\u003c/code\u003e) sends Kerberos traffic to the domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the Kerberos tickets from memory or network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the offline TGS tickets to obtain service account passwords (Kerberoasting).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised service account credentials to move laterally within the network or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberoasting or Pass-the-Ticket attack can lead to unauthorized access to sensitive resources and lateral movement within the network. Attackers can compromise service accounts with elevated privileges, potentially leading to domain-wide compromise. Detection of this behavior can prevent attackers from gaining access to critical assets. While the exact number of victims and sectors targeted are unknown, this technique is widely used by various threat actors in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Kerberos Traffic from Unusual Process\u0026rdquo; Sigma rule to your SIEM and tune for your environment. Enable network connection logging to capture the necessary traffic.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious binaries.\u003c/li\u003e\n\u003cli\u003eReview event ID 4769 for suspicious ticket requests as mentioned in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eExamine host services for suspicious entries as outlined in the original Elastic detection rule using Osquery.\u003c/li\u003e\n\u003cli\u003eMonitor for processes connecting to port 88, filtering out legitimate Kerberos clients like \u003ccode\u003elsass.exe\u003c/code\u003e, using the \u0026ldquo;Detect Kerberos Traffic from Non-Standard Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate processes identified by the rule and compare them to the list of legitimate processes to identify unauthorized connections to the Kerberos port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-03-kerberoasting-unusual-process/","summary":"Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.","title":"Kerberos Traffic from Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-kerberoasting-unusual-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Chrome","Splunk Enterprise Security","Splunk Enterprise","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","password-stealing","chrome"],"_cs_type":"advisory","_cs_vendors":["Google","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to the Chrome \u0026lsquo;Local State\u0026rsquo; file, a critical component of the Chrome browser that stores settings and, more importantly, the encrypted master key used to protect saved passwords. The \u0026lsquo;Local State\u0026rsquo; file is typically accessed only by the Chrome browser itself. When other processes attempt to read this file, it\u0026rsquo;s a strong indicator of malicious activity, potentially involving credential theft or reconnaissance by malware such as RedLine Stealer. This analytic leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. Detecting and responding to this activity is crucial for preventing attackers from gaining access to sensitive user credentials stored within the Chrome browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, often through phishing or exploitation of a software vulnerability (not specified in this advisory).\u003c/li\u003e\n\u003cli\u003eMalware is deployed on the victim machine (e.g., RedLine Stealer).\u003c/li\u003e\n\u003cli\u003eThe malware attempts to locate the Chrome \u0026lsquo;Local State\u0026rsquo; file, typically found at \u003ccode\u003e*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware process accesses the \u0026lsquo;Local State\u0026rsquo; file, triggering a Windows Security Event 4663.\u003c/li\u003e\n\u003cli\u003eThe malware extracts the encrypted master key from the \u0026lsquo;Local State\u0026rsquo; file.\u003c/li\u003e\n\u003cli\u003eThe malware decrypts the master key using attacker-controlled methods.\u003c/li\u003e\n\u003cli\u003eThe decrypted master key is used to decrypt saved passwords stored by Chrome.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are exfiltrated to the attacker\u0026rsquo;s command and control server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal user credentials stored in the Chrome browser. This can lead to unauthorized access to email accounts, social media profiles, banking websites, and other sensitive online services. The impact could range from identity theft and financial fraud to corporate espionage and data breaches. The number of potential victims depends on the number of systems compromised and the extent of Chrome usage on those systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both \u0026ldquo;Success\u0026rdquo; and \u0026ldquo;Failure\u0026rdquo; events to ensure Windows Security Event 4663 is generated for file access, as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chrome Local State File Access by Non-Chrome Processes\u0026rdquo; to your SIEM to detect unauthorized access attempts (see \u0026ldquo;rules\u0026rdquo; section). Tune the rule\u0026rsquo;s filter list to reduce false positives related to legitimate software uninstallers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process name and path involved in accessing the \u0026lsquo;Local State\u0026rsquo; file, as described in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eConsider implementing network egress filtering to prevent exfiltration of stolen credentials to known malicious command and control servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-chrome-localstate-access/","summary":"Detection of non-Chrome processes accessing the Chrome 'Local State' file, potentially leading to extraction of the master key used for decrypting saved passwords.","title":"Unauthorized Access to Chrome Local State File","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-localstate-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Agent Auditd Manager","EKS","Azure","gcloud","Docker"],"_cs_severities":["high"],"_cs_tags":["credential-access","linux","auditd"],"_cs_type":"advisory","_cs_vendors":["Elastic","Amazon","Microsoft","Google","Docker"],"content_html":"\u003cp\u003eThis detection focuses on identifying unauthorized access to sensitive identity files on Linux systems. It leverages Auditd to monitor file access events and flags processes that are commonly used for copying, scripting, or staging files from temporary directories. The targeted files include Kubernetes service account tokens, kubelet configurations, cloud CLI configurations for AWS, Azure, and Google Cloud, root SSH keys, and Docker configurations. These files are critical for authentication and authorization within the system, and unauthorized access could lead to credential theft, privilege escalation, or lateral movement. This is especially important in cloud environments and containerized deployments where these files are commonly used for managing access to resources. The rule is designed to exclude user home paths to avoid false positives and focus on system-level access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system through various means, such as exploiting a vulnerability or compromising credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ecat\u003c/code\u003e, or \u003ccode\u003ecurl\u003c/code\u003e to access sensitive files such as \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e or \u003ccode\u003e/root/.ssh/id_rsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAuditd logs the file access event, capturing details about the process, user, and file path.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the suspicious process based on its name, executable path (e.g., \u003ccode\u003e/tmp/*\u003c/code\u003e), or command-line arguments.\u003c/li\u003e\n\u003cli\u003eThe rule checks if the accessed file is in the list of sensitive identity files.\u003c/li\u003e\n\u003cli\u003eIf both conditions are met, the rule triggers an alert, indicating potential unauthorized access to sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen credentials or uses them to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access cloud resources or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, service disruptions, and financial losses. The targeted files contain credentials for Kubernetes clusters, cloud environments (AWS, Azure, Google Cloud), and SSH keys, potentially impacting a wide range of resources. The impact is particularly severe in environments where these credentials are used for managing critical infrastructure or accessing sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Auditd Manager integration with the specified audit rules in the provided setup steps to monitor access to sensitive identity files on Linux systems. Ensure auditd is properly configured and running (\u003ccode\u003eauditctl -l\u003c/code\u003e) to generate the necessary logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect suspicious processes accessing sensitive identity files and tune them for your environment by excluding legitimate processes or users as needed.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules, focusing on the process name, executable, parent command line, and the accessed file path to determine the legitimacy of the access.\u003c/li\u003e\n\u003cli\u003eReview and harden file permissions on shared credential stores to prevent unauthorized access. Rotate exposed keys and tokens and invalidate cloud sessions if a compromise is suspected, as suggested in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-sensitive-identity-file-access/","summary":"This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.","title":"Suspicious Process Accessing Sensitive Identity Files via Auditd","url":"https://feed.craftedsignal.io/briefs/2024-01-sensitive-identity-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Amazon EC2"],"_cs_severities":["medium"],"_cs_tags":["aws","ec2","keypair","persistence","credential_access","lateral_movement"],"_cs_type":"advisory","_cs_vendors":["Amazon","Google","Microsoft"],"content_html":"\u003cp\u003eThis alert identifies suspicious activity related to the creation of EC2 key pairs within an AWS environment. Specifically, it focuses on instances where a new IAM principal (user) creates an EC2 key pair from a network source (IP address) whose autonomous system organization is not commonly associated with major cloud providers like Amazon, Google, or Microsoft. Adversaries often create key pairs for persistence or to enable unauthorized access to EC2 instances, potentially leading to data exfiltration or further malicious activities. The rule uses a new terms approach to baseline user activity, reducing noise from repeated actions while still flagging the initial suspicious key pair creation. This activity is flagged as suspicious due to originating from outside trusted ASNs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate existing EC2 instances and associated key pairs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eCreateKeyPair\u003c/code\u003e API call to generate a new SSH key pair within the AWS account. The request originates from a network with an autonomous system organization not attributed to common cloud providers.\u003c/li\u003e\n\u003cli\u003eThe attacker stores the private key material for later use in accessing EC2 instances.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use the new key pair to launch new EC2 instances or import the key to existing instances. This can be done through \u003ccode\u003eRunInstances\u003c/code\u003e or \u003ccode\u003eImportKeyPair\u003c/code\u003e operations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the new key pair to SSH into the newly created or compromised EC2 instances.\u003c/li\u003e\n\u003cli\u003eOnce inside the instances, the attacker performs malicious activities, such as data exfiltration, lateral movement, or installing malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to EC2 instances, potentially compromising sensitive data and disrupting services. A compromised AWS account can allow the attacker to steal data, establish persistence, and move laterally within the cloud environment. The lack of expected cloud provider ASN for the source IP of the \u003ccode\u003eCreateKeyPair\u003c/code\u003e event raises the risk profile.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS EC2 CreateKeyPair from Non-Cloud AS Organization\u0026rdquo; to your SIEM and tune the \u003ccode\u003esource.as.organization.name\u003c/code\u003e exclusions based on your environment.\u003c/li\u003e\n\u003cli\u003eReview AWS CloudTrail logs for any \u003ccode\u003eCreateKeyPair\u003c/code\u003e events and correlate with other suspicious activity, as mentioned in the investigation steps in this brief.\u003c/li\u003e\n\u003cli\u003eImplement stricter IAM policies to limit the ability to create key pairs to only authorized users and roles.\u003c/li\u003e\n\u003cli\u003eMonitor for \u003ccode\u003eRunInstances\u003c/code\u003e or \u003ccode\u003eImportKeyPair\u003c/code\u003e events using the newly created key names as identified from \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e / \u003ccode\u003eresponse_elements\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable and review AWS Config rules to detect and remediate misconfigurations related to IAM and EC2 key pair management.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-ec2-keypair-creation/","summary":"An AWS EC2 CreateKeyPair event triggered by a new principal originating from a network autonomous system (AS) organization not associated with major cloud providers, indicating potential unauthorized access or persistence activity.","title":"Suspicious AWS EC2 Key Pair Creation from Non-Cloud AS","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ec2-keypair-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Chrome","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","password-stealing","windows"],"_cs_type":"advisory","_cs_vendors":["Google","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to Chrome\u0026rsquo;s \u0026ldquo;Login Data\u0026rdquo; file, a local SQLite database that stores user credentials. Attackers, after gaining initial access to a Windows system, may attempt to steal these credentials by directly accessing and parsing this file. The \u0026ldquo;Login Data\u0026rdquo; file contains sensitive information, including usernames, passwords, and URLs. The technique is commonly associated with credential-stealing malware families like RedLine Stealer, DarkGate, and others listed below. Successful exploitation allows attackers to harvest credentials for lateral movement and further compromise. This detection is based on Windows Security Event logs, specifically event ID 4663, which records attempts to access objects like files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious executable or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to access the Chrome \u0026ldquo;Login Data\u0026rdquo; file, typically located at \u003ccode\u003e*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWindows Security Event Log generates an event with EventCode 4663, recording the file access attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s process reads the \u0026ldquo;Login Data\u0026rdquo; SQLite database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts and potentially decrypts stored usernames and passwords from the \u0026ldquo;Login Data\u0026rdquo; file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Chrome \u0026ldquo;Login Data\u0026rdquo; files can lead to widespread credential theft, granting attackers unauthorized access to numerous online accounts. Depending on the user\u0026rsquo;s browsing habits and password reuse, this can include access to sensitive corporate resources, financial accounts, and personal email. The impact can range from financial loss to significant data breaches and reputational damage. The references section in the original source mentions Redline Stealer which is used in various attacks, indicating a potentially large number of victims across different sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both \u0026ldquo;Success\u0026rdquo; and \u0026ldquo;Failure\u0026rdquo; events to generate Windows Security Event 4663, as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eChrome Login Data Accessed by Non-Browser Process\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eprocess_path\u003c/code\u003e filter to exclude legitimate software in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eChrome Login Data Accessed by Non-Browser Process\u003c/code\u003e Sigma rule to determine if credential theft has occurred and remediate any affected accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-chrome-login-data-access/","summary":"This analytic identifies non-Chrome processes accessing the Chrome user data file 'login data', which is an SQLite database containing sensitive information like saved passwords, potentially leading to credential theft.","title":"Non-Chrome Process Accessing Chrome Login Data","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-login-data-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IMDS","GCP Compute Metadata","Azure IMDS"],"_cs_severities":["high"],"_cs_tags":["kubernetes","cloud","credential_access","execution"],"_cs_type":"advisory","_cs_vendors":["AWS","Google","Azure"],"content_html":"\u003cp\u003eThis alert focuses on detecting Kubernetes pod exec sessions that attempt to access cloud instance metadata endpoints. The activity is flagged when the decoded command line of a pod exec session contains references to cloud instance metadata services across AWS, GCP, and Azure. Attackers may exploit this to harvest role credentials, tokens, or instance attributes from the underlying node or hypervisor. This is a high-risk behavior because it can expose short-lived cloud credentials to code running inside a container, particularly concerning in multi-tenant and regulated environments. This detection classifies the cloud target and whether the command indicates credential theft or reconnaissance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable pod within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e to gain shell access to the pod.\u003c/li\u003e\n\u003cli\u003eInside the pod, the attacker crafts a command-line request targeting the cloud instance metadata service (IMDS) endpoint.\u003c/li\u003e\n\u003cli\u003eThe command, often using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e, attempts to retrieve sensitive information such as IAM roles, tokens, or instance attributes.\u003c/li\u003e\n\u003cli\u003eThe IMDS responds with the requested data, which may include credentials or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen credentials or uses them to escalate privileges within the cloud environment.\u003c/li\u003e\n\u003cli\u003eAttacker uses the harvested credentials to move laterally, compromise other cloud resources, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised credentials can lead to unauthorized access to sensitive data, lateral movement within the cloud environment, and potential data exfiltration. A successful attack could impact multiple organizations sharing the same Kubernetes cluster. The impact could include financial losses, reputational damage, and regulatory fines, depending on the type of data compromised and the extent of the breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes Pod Exec IMDS Access\u003c/code\u003e to detect suspicious command-line activity within Kubernetes pods.\u003c/li\u003e\n\u003cli\u003eBlock access to the cloud instance metadata endpoints (169.254.169.254) from within Kubernetes pods using network policies.\u003c/li\u003e\n\u003cli\u003eRegularly review and tighten RBAC permissions related to \u003ccode\u003epods/exec\u003c/code\u003e to limit the ability of attackers to gain shell access.\u003c/li\u003e\n\u003cli\u003eMonitor cloud audit logs for suspicious STS or token issuance events correlated with Kubernetes pod exec events.\u003c/li\u003e\n\u003cli\u003eImplement workload identity solutions to avoid the need to expose instance metadata to pods.\u003c/li\u003e\n\u003cli\u003eBaseline approved images and tune exclusions narrowly to avoid false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kubernetes-metadata-access/","summary":"Detection of Kubernetes pod exec sessions accessing cloud instance metadata endpoints, indicating potential credential theft from AWS, GCP, or Azure.","title":"Kubernetes Pod Exec Cloud Instance Metadata Access","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-metadata-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Edge","Chrome","Firefox"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","dns-over-https","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Mozilla"],"content_html":"\u003cp\u003eThe use of DNS-over-HTTPS (DoH) can obscure network activity, potentially allowing malicious actors to bypass traditional DNS monitoring and conceal data exfiltration. When DoH is enabled, visibility into DNS query types, responses, and originating IPs is lost, hindering the detection of malicious activity. This behavior is detected by monitoring registry modifications associated with enabling DoH in popular browsers such as Microsoft Edge, Google Chrome, and Mozilla Firefox. The registry keys targeted are associated with settings that force the browsers to use secure DNS resolution, potentially circumventing organizational security policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system through various means, such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if necessary):\u003c/strong\u003e The attacker may need to escalate privileges to modify registry settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker modifies the Windows registry to enable DNS-over-HTTPS (DoH) in web browsers like Edge, Chrome, or Firefox. This is achieved by modifying specific registry keys such as \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled\u003c/code\u003e, \u003ccode\u003eHKLM\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode\u003c/code\u003e, or \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation:\u003c/strong\u003e By enabling DoH, the attacker encrypts DNS queries, making it difficult for network monitoring tools to inspect DNS traffic.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes command and control (C2) communication with a remote server over encrypted DNS traffic, evading traditional network-based detection methods.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker uses the encrypted DNS channel to exfiltrate sensitive data, bypassing network security controls that rely on DNS inspection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker might establish persistence by ensuring the DoH settings remain enabled across system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to a loss of visibility into DNS traffic, hindering incident response and threat hunting efforts. Attackers can effectively hide command-and-control communications and data exfiltration activities. Although this activity by itself isn\u0026rsquo;t inherently malicious, it removes a layer of defense, increasing the risk that malicious activities will go undetected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect the enabling of DNS-over-HTTPS via registry modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary events for the provided Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and update security policies to ensure DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes, reducing the risk of misuse, and create exceptions in the detection rule for systems where this is a known requirement.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on identifying the user account, process, and associated network activity (reference the investigation guide in the source URL).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-dns-over-https-enabled/","summary":"Detection of DNS-over-HTTPS (DoH) being enabled via registry modifications on Windows systems, potentially indicating defense evasion and obfuscation of network activity by masking DNS queries.","title":"DNS-over-HTTPS Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-dns-over-https-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["data-leakage","gworkspace","email-forwarding"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis brief focuses on detecting unauthorized email forwarding to external domains within Google Workspace environments. The primary concern is the potential for data exfiltration or misuse by malicious insiders or threat actors who have compromised user accounts. The activity is logged by Google Workspace and can be monitored using the Google Workspace Admin Reports API. The event name associated with this activity is \u003ccode\u003eemail_forwarding_out_of_domain\u003c/code\u003e, which is generated when a user configures automatic email forwarding to an address outside the organization\u0026rsquo;s domain. Successful exploitation of this technique can lead to the leakage of sensitive information, intellectual property theft, or compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Google Workspace user account, potentially through phishing, credential stuffing, or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Gmail settings for the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker configures automatic email forwarding to an external email address controlled by the attacker (e.g., a Gmail, Outlook, or ProtonMail address).\u003c/li\u003e\n\u003cli\u003eThe attacker sets up filters to forward specific types of emails, such as those containing sensitive keywords or originating from key personnel.\u003c/li\u003e\n\u003cli\u003eLegitimate emails are received by the compromised user and automatically forwarded to the external address.\u003c/li\u003e\n\u003cli\u003eThe attacker collects the forwarded emails, extracting sensitive data or using it for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting audit logs or modifying forwarding rules.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of unauthorized email forwarding can lead to significant data breaches, intellectual property theft, and compliance violations. The impact can range from exposure of sensitive customer data to the loss of competitive advantage due to stolen trade secrets. Depending on the volume and nature of the data exfiltrated, organizations may face legal and regulatory penalties, as well as reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eemail_forwarding_out_of_domain\u003c/code\u003e events in Google Workspace logs (logsource: \u003ccode\u003egcp\u003c/code\u003e, service: \u003ccode\u003egoogle_workspace.login\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the email forwarding configuration.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Google Workspace accounts to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit email forwarding rules to identify and remove any unauthorized configurations.\u003c/li\u003e\n\u003cli\u003eTrain users to recognize and report phishing attempts to prevent account compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gworkspace-email-forwarding/","summary":"Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse by malicious insiders or compromised accounts.","title":"Detection of Out-of-Domain Email Forwarding in Google Workspace","url":"https://feed.craftedsignal.io/briefs/2024-01-gworkspace-email-forwarding/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7337"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge (Chromium-based)"],"_cs_severities":["high"],"_cs_tags":["type confusion","v8 engine","chromium","cve-2026-7337"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7337 is a type confusion vulnerability residing within the V8 JavaScript engine, the core component of Chromium-based browsers. This vulnerability impacts Google Chrome and Microsoft Edge (Chromium-based), as Edge incorporates the Chromium project. The vulnerability stems from improper handling of object types within the V8 engine during JavaScript execution, potentially leading to exploitable conditions. Successful exploitation could allow an attacker to execute arbitrary code within the context of the browser. Public details are available via the Google Chrome Releases blog and the Microsoft Security Response Center (MSRC). Defenders should prioritize patching to the latest available versions of Chrome and Edge.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page containing JavaScript code designed to trigger the type confusion vulnerability in the V8 engine.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious web page using a vulnerable version of Google Chrome or Microsoft Edge.\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s V8 engine attempts to execute the attacker-controlled JavaScript code.\u003c/li\u003e\n\u003cli\u003eDue to the type confusion vulnerability, the V8 engine misinterprets the type of a JavaScript object.\u003c/li\u003e\n\u003cli\u003eThis misinterpretation leads to memory corruption within the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical data structures within the browser\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the browser process\u0026rsquo;s execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the victim\u0026rsquo;s machine within the security context of the browser process, potentially leading to information disclosure, data theft, or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7337 allows an attacker to execute arbitrary code within the context of the user\u0026rsquo;s browser. This could lead to sensitive information being stolen, such as cookies, browsing history, and stored credentials. Attackers could also potentially use this vulnerability to install malware or gain further access to the victim\u0026rsquo;s system. Given the widespread use of Chromium-based browsers, this vulnerability poses a significant threat to a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome to address CVE-2026-7337. Refer to the Google Chrome Releases blog for details.\u003c/li\u003e\n\u003cli\u003eApply the latest security updates for Microsoft Edge (Chromium-based) to address CVE-2026-7337 as described in the MSRC advisory.\u003c/li\u003e\n\u003cli\u003eImplement a web proxy with content filtering to block access to known malicious websites that may attempt to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cve-2026-7337-v8-type-confusion/","summary":"CVE-2026-7337 is a type confusion vulnerability in the V8 JavaScript engine that affects Google Chrome and Microsoft Edge (Chromium-based).","title":"CVE-2026-7337 Type Confusion Vulnerability in Chromium V8 Engine","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-7337-v8-type-confusion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Visual Studio","Office","Firefox","Windows","HP Support Assistant"],"_cs_severities":["low"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Hewlett-Packard","Mozilla","Google"],"content_html":"\u003cp\u003eAdversaries frequently leverage scheduled tasks in Windows to maintain persistence, elevate privileges, or facilitate lateral movement within a compromised network. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. The detection rule focuses on identifying the creation of new scheduled tasks logged in Windows event logs, filtering out tasks created by system accounts and those associated with legitimate software to minimize false positives. This detection is crucial because successful exploitation allows attackers to execute arbitrary commands or programs on a recurring basis, maintaining a foothold even after system reboots or user logoffs. Defenders need to monitor for anomalous task creation events to identify potential malicious activity. The rule references Microsoft Event ID 4698 as a key data source for detecting scheduled task creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system through phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges using exploits or by abusing misconfigurations to gain the necessary permissions to create scheduled tasks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTask Creation:\u003c/strong\u003e The attacker creates a new scheduled task using tools like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration:\u003c/strong\u003e The attacker configures the task to execute a malicious script or program at a specific time or event trigger.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The scheduled task is configured to run at regular intervals or upon system startup, ensuring persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e When the scheduled task triggers, the malicious payload executes, performing actions such as installing malware, stealing data, or establishing a command and control connection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (optional):\u003c/strong\u003e The attacker uses the compromised system and scheduled task to move laterally to other systems on the network, repeating the task creation process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via scheduled task creation can lead to persistent access within the compromised environment. The attacker can maintain a foothold even after system restarts, enabling them to perform data exfiltration, deploy ransomware, or cause other disruptive activities. While the risk score is relatively low, the potential for persistence makes this a critical area to monitor, especially in environments where lateral movement is a significant concern. The number of affected systems depends on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the necessary Windows Security Event Logs for detecting scheduled task creation (reference: setup instructions in the original rule).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious scheduled task creation events, and tune the rules by adding exclusions for known benign tasks in your environment.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the rule\u0026rsquo;s notes to triage alerts related to scheduled task creation, focusing on unfamiliar task names, unusual user accounts, and suspicious scheduled actions.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003ereferences\u003c/code\u003e URL to understand the specific details of Windows Event ID 4698, which is generated when a scheduled task is created.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-scheduled-task-creation/","summary":"Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.","title":"Windows Scheduled Task Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-02-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Slack","WebEx","Teams","Discord","WhatsApp","Zoom","Outlook","Thunderbird","Grammarly","Dropbox","Tableau","Google Drive","MSOffice","Okta","OneDrive","Chrome","Firefox","Edge","Brave","GoogleCloud Related Tools","Github Related Tools","Notion"],"_cs_severities":["medium"],"_cs_tags":["masquerading","defense-evasion","initial-access","malware","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Slack","Cisco","Microsoft","Discord","Zoom","Mozilla","Grammarly","Dropbox","Tableau","Google","Okta","Brave","GitHub","Notion"],"content_html":"\u003cp\u003eAttackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim\u0026rsquo;s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user visits a compromised website or clicks on a malicious advertisement.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.\u003c/li\u003e\n\u003cli\u003eThe downloaded executable is placed in the user\u0026rsquo;s Downloads folder (e.g., C:\\Users*\\Downloads*).\u003c/li\u003e\n\u003cli\u003eThe user executes the downloaded file.\u003c/li\u003e\n\u003cli\u003eThe executable, lacking a valid code signature, begins execution.\u003c/li\u003e\n\u003cli\u003eThe malicious installer may drop and execute additional malware components.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence, potentially using techniques such as registry key modification.\u003c/li\u003e\n\u003cli\u003eThe malware performs malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003ePotential Masquerading as Business App Installer\u003c/code\u003e to detect unsigned executables resembling legitimate business applications in download directories.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture the execution of unsigned executables.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of downloading and executing files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications.\u003c/li\u003e\n\u003cli\u003eRegularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes originating from the Downloads folder that lack valid code signatures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-masquerading-business-apps/","summary":"Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.","title":"Masquerading Business Application Installers","url":"https://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Security Event Logs","HPDeviceCheck","HP Support Assistant","HP Web Products Detection","Microsoft Visual Studio","OneDrive","Firefox","Office","Windows GroupPolicy"],"_cs_severities":["medium"],"_cs_tags":["persistence","scheduled_task","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Hewlett-Packard","Microsoft","Google","Mozilla"],"content_html":"\u003cp\u003eAdversaries frequently abuse Windows scheduled tasks to establish persistence, move laterally within a network, and escalate privileges. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or in response to certain events. This detection rule identifies suspicious task creation by filtering out benign tasks and those initiated by system accounts, focusing on potential threats. The rule relies on Windows Security Event Logs, offering a valuable method for identifying unauthorized task creation indicative of malicious activity. The detection logic specifically excludes common tasks associated with software updates from vendors like Hewlett-Packard, Microsoft, Google, and Mozilla, as well as tasks run by system accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their initial access to execute commands, potentially leveraging PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eschtasks\u003c/code\u003e command-line utility or the COM interface to create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload, such as a reverse shell or a data exfiltration script.\u003c/li\u003e\n\u003cli\u003eThe task is set to trigger based on a specific schedule, such as at system startup, at a specific time, or upon a specific event.\u003c/li\u003e\n\u003cli\u003eWhen the trigger occurs, the scheduled task executes the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes persistence, allowing the attacker to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the persistent access to move laterally to other systems or to exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to maintain persistent access to compromised systems, potentially leading to data theft, system disruption, or further lateral movement within the network. By creating malicious scheduled tasks, attackers can ensure their code is executed even after a system reboot or user logoff. This can result in long-term compromise and significant damage to affected organizations. While the number of victims and specific sectors targeted are not detailed, the potential impact is broad due to the widespread use of Windows systems in enterprise environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logging and ensure that event ID 4698 (A scheduled task was created) is collected.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Scheduled Task Creation via Winlog\u0026rdquo; to your SIEM to detect potentially malicious scheduled task creation events.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the exclusion list in the Sigma rule to account for new benign scheduled tasks in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the task\u0026rsquo;s name, path, actions, and triggers to determine if they are suspicious.\u003c/li\u003e\n\u003cli\u003eMonitor for related suspicious activity, such as unusual process executions or network connections originating from the compromised system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-scheduled-task-creation/","summary":"This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.","title":"Detecting Suspicious Scheduled Task Creation in Windows","url":"https://feed.craftedsignal.io/briefs/2024-01-scheduled-task-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Google","version":"https://jsonfeed.org/version/1.1"}