{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/lenovo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["powershell","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Lenovo","PDQ.com Corporation","Dell Technologies Inc.","Chocolatey Software, Inc","Docker Inc"],"content_html":"\u003cp\u003eAttackers can leverage the PowerShell engine without directly executing \u003ccode\u003epowershell.exe\u003c/code\u003e. This technique, often referred to as \u0026ldquo;PowerShell without PowerShell,\u0026rdquo; involves using the underlying System.Management.Automation namespace. This approach allows attackers to bypass application allowlisting and PowerShell security features, operating more stealthily within a compromised environment. This technique makes detection more challenging, as standard PowerShell execution logs might not capture the activity. The activity is detected by monitoring which processes load the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries. This activity can legitimately happen where vendors have their own PowerShell implementations that are shipped with some products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a custom tool or script on the target system. This tool is designed to interact with the System.Management.Automation namespace directly.\u003c/li\u003e\n\u003cli\u003eThe custom tool loads the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e library into its process space.\u003c/li\u003e\n\u003cli\u003eThe tool uses the loaded PowerShell engine to execute malicious commands or scripts without invoking \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as gathering system information or network configurations, using PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the network, leveraging the PowerShell engine to execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or backdoors using the PowerShell engine to maintain persistence within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or causes damage to the system, completing the objectives of the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging \u0026ldquo;PowerShell without PowerShell\u0026rdquo; can lead to significant compromise of Windows systems. Attackers can bypass traditional security measures, potentially leading to data theft, system disruption, or the installation of persistent malware. The technique\u0026rsquo;s stealthy nature can prolong the time to detection, increasing the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious PowerShell Engine ImageLoad\u003c/code\u003e to your SIEM to detect when the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e libraries are loaded by unexpected processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process execution chain (parent process tree) for unknown processes.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions like Elastic Defend to provide visibility into process behavior and library loading events, activating the \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003eimage_load\u003c/code\u003e log sources.\u003c/li\u003e\n\u003cli\u003eReview and tune exclusions to the Sigma rule based on legitimate vendor applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-powershell-imageload/","summary":"This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.","title":"Suspicious PowerShell Engine ImageLoad","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-powershell-imageload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Edge","Cisco Spark","Admin By Request","Cloud Signature Update Agent","Vantage","Adobe Reader and Acrobat Manager"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","runkey"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","FastTrack Software","Exclaimer Ltd","Lenovo","Adobe"],"content_html":"\u003cp\u003eAttackers often modify registry run keys to achieve persistence on a system. By adding entries to these keys, they ensure that a malicious program executes automatically whenever a user logs in. This technique allows the attacker to maintain access to the compromised system even after reboots or other interruptions. The programs added to these run keys execute under the context of the user account, inheriting its permissions. This activity is often difficult to distinguish from legitimate software installations or updates, requiring careful analysis to identify malicious intent. Elastic has observed this activity and created a detection rule to identify this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies registry run key locations for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a registry run key (e.g., \u003ccode\u003eHKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u003c/code\u003e) using tools such as \u003ccode\u003ereg.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a malicious executable path to the registry key.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or a user logs in.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is launched automatically as part of the logon process.\u003c/li\u003e\n\u003cli\u003eThe malicious executable establishes a connection to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to perform unauthorized activities such as data theft, lateral movement, and deployment of ransomware. While each instance may not cause immediate critical damage, the cumulative effect of multiple persistent infections across an environment can lead to significant data breaches and operational disruption. The Elastic rule attempts to minimize false positives with built-in filters for common legitimate applications and processes like \u003ccode\u003ectfmon.exe\u003c/code\u003e, but tuning is required.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious modifications to registry run keys and tune it to filter out legitimate application updates.\u003c/li\u003e\n\u003cli\u003eEnable registry event logging to capture modifications made to the registry, ensuring that the Sigma rule can function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, examining the parent process of the process modifying the registry for suspicious activity.\u003c/li\u003e\n\u003cli\u003eBlock known malicious executables and domains identified during triage to prevent further infection.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend to gain enhanced visibility into endpoint activity and detect malicious behavior associated with persistence mechanisms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-run-key-registry-modification/","summary":"Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.","title":"Startup or Run Key Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Lenovo","version":"https://jsonfeed.org/version/1.1"}