{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/intel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Intel","IBM"],"content_html":"\u003cp\u003eThis detection identifies process execution from suspicious default Windows directories. Attackers may hide malware in trusted paths to evade defenses, making it difficult for analysts to distinguish between legitimate and malicious activity. The detection focuses on identifying processes running from directories like C:\\PerfLogs, C:\\Users\\Public, and various Windows subdirectories (e.g., C:\\Windows\\Tasks, C:\\Windows\\AppReadiness), where executable files are not typically expected to reside. The detection excludes known legitimate processes like SpeechUXWiz.exe, SystemSettings.exe, TrustedInstaller.exe and other Intel and IBM executables to reduce false positives. This technique is often used to bypass security controls or take advantage of existing exceptions applied to these directories. This activity was observed being used by threat actors in the Siestagraph campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable into a suspicious directory like C:\\Users\\Public or C:\\Windows\\Tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malware from the unusual directory. This might be achieved using \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed malware establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe malware connects to a command-and-control (C2) server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe C2 server instructs the malware to perform reconnaissance on the network.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to move laterally to other systems on the network using techniques like pass-the-hash or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, ransomware deployment, or establishing long-term access to the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, persistence on the system, and further compromise of the network. Attackers can use this technique to bypass security controls and evade detection, potentially leading to data breaches, financial loss, or disruption of services. While the rule itself has a medium severity, the impact of a successful attack using this technique can be severe, depending on the attacker\u0026rsquo;s objectives and the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Process Execution from Unusual Directory\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the process execution is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically Event ID 4688 with command line process auditing, to ensure the Sigma rule has the necessary data to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden permissions on the listed suspicious directories to prevent unauthorized file creation and execution.\u003c/li\u003e\n\u003cli\u003eBlock execution of unsigned or untrusted executables from these directories using application control solutions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-process-execution-from-unusual-directory/","summary":"Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.","title":"Process Execution from Suspicious Windows Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-process-execution-from-unusual-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","dll-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","McAfee","SecMaker AB","HID Global","Apple","Citrix Systems","Dell","Hewlett-Packard Company","Symantec Corporation","National Instruments Corporation","DigitalPersona","Novell","Gemalto","EasyAntiCheat Oy","Entrust Datacard Corporation","AuriStor","LogMeIn","VMware","Nubeva Technologies Ltd","Micro Focus","Yubico AB","Secure Endpoints","Sophos","Morphisec Information Security","Entrust","F5 Networks","Bit4id","Thales DIS CPL USA","Micro Focus International plc","HYPR Corp","Intel","PGP Corporation","Parallels International GmbH","FrontRange Solutions Deutschland GmbH","SecureLink","Tidexa OU","Amazon Web Services","SentryBay Limited","Audinate Pty Ltd","CyberArk Software","NVIDIA","Trend Micro","Fortinet","Carbon Black"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain sufficient access to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL onto the system, often disguised as a legitimate file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.\u003c/li\u003e\n\u003cli\u003eLSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eLSASS Loading Untrusted DLL\u003c/code\u003e Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and review the loaded DLL\u0026rsquo;s code signature and hash.\u003c/li\u003e\n\u003cli\u003eBlock the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict which DLLs can be loaded into LSASS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and image load logging to provide the necessary data for detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-lsass-suspicious-dll/","summary":"Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.","title":"LSASS Loading Suspicious DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-suspicious-dll/"}],"language":"en","title":"CraftedSignal Threat Feed — Intel","version":"https://jsonfeed.org/version/1.1"}